diff --git a/diskimage_builder/elements/ironic-agent/element-deps b/diskimage_builder/elements/ironic-agent/element-deps
index 39d864612..665e0da3e 100644
--- a/diskimage_builder/elements/ironic-agent/element-deps
+++ b/diskimage_builder/elements/ironic-agent/element-deps
@@ -1,4 +1,5 @@
 dhcp-all-interfaces
+install-static
 no-final-image
 package-installs
 pip-and-virtualenv
diff --git a/diskimage_builder/elements/ironic-agent/post-install.d/80-ironic-agent b/diskimage_builder/elements/ironic-agent/post-install.d/80-ironic-agent
index 38dae821f..bc3a15fdd 100755
--- a/diskimage_builder/elements/ironic-agent/post-install.d/80-ironic-agent
+++ b/diskimage_builder/elements/ironic-agent/post-install.d/80-ironic-agent
@@ -24,6 +24,7 @@ case "$DIB_INIT_SYSTEM" in
             systemctl disable iptables.service
         fi
         systemctl enable $(svc-map ironic-python-agent).service
+        systemctl enable ironic-agent-create-rescue-user.path
         ;;
     sysv)
         update-rc.d iptables disable
diff --git a/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.path b/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.path
new file mode 100644
index 000000000..9987044e4
--- /dev/null
+++ b/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.path
@@ -0,0 +1,8 @@
+[Unit]
+Description=Ironic user rescue - notify path existence
+
+[Path]
+PathExists=/etc/ipa-rescue-config/ipa-rescue-password
+
+[Install]
+WantedBy=multi-user.target
diff --git a/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.service b/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.service
new file mode 100644
index 000000000..befeda666
--- /dev/null
+++ b/diskimage_builder/elements/ironic-agent/static/etc/systemd/system/ironic-agent-create-rescue-user.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Ironic agent rescue user creation
+
+[Service]
+ExecStart=/bin/bash /usr/local/bin/ironic-python-agent-create-rescue-user.sh
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/diskimage_builder/elements/ironic-agent/static/usr/local/bin/ironic-python-agent-create-rescue-user.sh b/diskimage_builder/elements/ironic-agent/static/usr/local/bin/ironic-python-agent-create-rescue-user.sh
new file mode 100755
index 000000000..aee408c0a
--- /dev/null
+++ b/diskimage_builder/elements/ironic-agent/static/usr/local/bin/ironic-python-agent-create-rescue-user.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+echo "Adding rescue user with root privileges..."
+crypted_pass=$(</etc/ipa-rescue-config/ipa-rescue-password)
+useradd -m rescue -G wheel -p $crypted_pass
+echo "rescue ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/rescue