diff --git a/files/keystone_data.sh b/files/keystone_data.sh
index 32d4e1a024..17e8c59eb6 100755
--- a/files/keystone_data.sh
+++ b/files/keystone_data.sh
@@ -71,6 +71,8 @@ if [[ "$ENABLED_SERVICES" =~ "heat" ]]; then
     keystone user-role-add --tenant_id $SERVICE_TENANT \
                            --user_id $HEAT_USER \
                            --role_id $ADMIN_ROLE
+    # heat_stack_user role is for users created by Heat
+    keystone role-create --name heat_stack_user
     if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then
         HEAT_CFN_SERVICE=$(get_id keystone service-create \
             --name=heat-cfn \