diff --git a/etc/heat/heat.conf.sample b/etc/heat/heat.conf.sample
index cec3f01c48..c14c6051db 100644
--- a/etc/heat/heat.conf.sample
+++ b/etc/heat/heat.conf.sample
@@ -35,9 +35,10 @@
 # (string value)
 #deferred_auth_method=password
 
-# Subset of trustor roles to be delegated to heat. (list
-# value)
-#trusts_delegated_roles=heat_stack_owner
+# Subset of trustor roles to be delegated to heat. If left
+# unset, all roles of a user will be delegated to heat when
+# creating a stack. (list value)
+#trusts_delegated_roles=
 
 # Maximum resources allowed per top-level stack. (integer
 # value)
diff --git a/heat/common/config.py b/heat/common/config.py
index 1a62de9e6b..d700240c65 100644
--- a/heat/common/config.py
+++ b/heat/common/config.py
@@ -105,8 +105,10 @@ engine_opts = [
                help=_('Select deferred auth method, '
                       'stored password or trusts.')),
     cfg.ListOpt('trusts_delegated_roles',
-                default=['heat_stack_owner'],
-                help=_('Subset of trustor roles to be delegated to heat.')),
+                default=[],
+                help=_('Subset of trustor roles to be delegated to heat.'
+                       ' If left unset, all roles of a user will be'
+                       ' delegated to heat when creating a stack.')),
     cfg.IntOpt('max_resources_per_stack',
                default=1000,
                help=_('Maximum resources allowed per top-level stack.')),
diff --git a/heat/common/heat_keystoneclient.py b/heat/common/heat_keystoneclient.py
index 378cf7b481..9dd469e66a 100644
--- a/heat/common/heat_keystoneclient.py
+++ b/heat/common/heat_keystoneclient.py
@@ -275,7 +275,11 @@ class KeystoneClientV3(object):
         trustee_user_id = self.admin_client.auth_ref.user_id
         trustor_user_id = self.client.auth_ref.user_id
         trustor_project_id = self.client.auth_ref.project_id
-        roles = cfg.CONF.trusts_delegated_roles
+        # inherit the roles of the trustor, unless set trusts_delegated_roles
+        if cfg.CONF.trusts_delegated_roles:
+            roles = cfg.CONF.trusts_delegated_roles
+        else:
+            roles = self.context.roles
         try:
             trust = self.client.trusts.create(trustor_user=trustor_user_id,
                                               trustee_user=trustee_user_id,
diff --git a/heat/engine/service.py b/heat/engine/service.py
index 6e23e7a43e..2fa0bb8afc 100644
--- a/heat/engine/service.py
+++ b/heat/engine/service.py
@@ -371,6 +371,14 @@ class EngineService(service.Service):
                           'deprecated and will be removed in the Juno '
                           'release.', DeprecationWarning)
 
+        if cfg.CONF.trusts_delegated_roles:
+            warnings.warn('The default value of "trusts_delegated_roles" '
+                          'option in heat.conf is changed to [] in Kilo '
+                          'and heat will delegate all roles of trustor. '
+                          'Please keep the same if you do not want to '
+                          'delegate subset roles when upgrading.',
+                          Warning)
+
     def create_periodic_tasks(self):
         LOG.debug("Starting periodic watch tasks pid=%s" % os.getpid())
         # Note with multiple workers, the parent process hasn't called start()
diff --git a/heat/tests/test_heatclient.py b/heat/tests/test_heatclient.py
index 282052e6c6..b3c9fd89da 100644
--- a/heat/tests/test_heatclient.py
+++ b/heat/tests/test_heatclient.py
@@ -492,7 +492,14 @@ class KeystoneClientTest(HeatTestCase):
         trust_context = heat_ks_client.create_trust_context()
         self.assertEqual(ctx.to_dict(), trust_context.to_dict())
 
-    def test_create_trust_context_trust_create(self):
+    def test_create_trust_context_trust_create_deletegate_subset_roles(self):
+        delegate_roles = ['heat_stack_owner']
+        self._test_create_trust_context_trust_create(delegate_roles)
+
+    def test_create_trust_context_trust_create_deletegate_all_roles(self):
+        self._test_create_trust_context_trust_create()
+
+    def _test_create_trust_context_trust_create(self, delegate_roles=None):
 
         """Test create_trust_context when creating a trust."""
 
@@ -503,22 +510,26 @@ class KeystoneClientTest(HeatTestCase):
 
         self._stubs_v3()
         cfg.CONF.set_override('deferred_auth_method', 'trusts')
-        cfg.CONF.set_override('trusts_delegated_roles', ['heat_stack_owner'])
+        if delegate_roles:
+            cfg.CONF.set_override('trusts_delegated_roles', delegate_roles)
 
+        trustor_roles = ['heat_stack_owner', 'admin', '__member__']
+        trustee_roles = delegate_roles or trustor_roles
         self.mock_ks_v3_client.auth_ref = self.m.CreateMockAnything()
         self.mock_ks_v3_client.auth_ref.user_id = '5678'
         self.mock_ks_v3_client.auth_ref.project_id = '42'
         self.mock_ks_v3_client.trusts = self.m.CreateMockAnything()
+
         self.mock_ks_v3_client.trusts.create(
             trustor_user='5678',
             trustee_user='1234',
             project='42',
             impersonation=True,
-            role_names=['heat_stack_owner']).AndReturn(MockTrust())
+            role_names=trustee_roles).AndReturn(MockTrust())
 
         self.m.ReplayAll()
 
-        ctx = utils.dummy_context()
+        ctx = utils.dummy_context(roles=trustor_roles)
         ctx.trust_id = None
         heat_ks_client = heat_keystoneclient.KeystoneClient(ctx)
         trust_context = heat_ks_client.create_trust_context()