diff --git a/ansible/roles/keystone/tasks/bootstrap_service.yml b/ansible/roles/keystone/tasks/bootstrap_service.yml
index 8a20685edd..da27564019 100644
--- a/ansible/roles/keystone/tasks/bootstrap_service.yml
+++ b/ansible/roles/keystone/tasks/bootstrap_service.yml
@@ -6,10 +6,28 @@
       - keystone_fernet
   register: container_facts
 
+# FIXME(mgoddard): This does not catch some cases we might consider
+# bootstrapped:
+# * the keystone_fernet container is created but not running
+# * the keystone_fernet volume exists but no container
+# Probably what we care about is the existence of Fernet key 0.
 - name: Group nodes where keystone_fernet is running
   group_by:
     key: keystone_fernet_{{ container_facts['keystone_fernet'].State | default('bootstrap') }}
 
+# NOTE(mgoddard): If we bootstrap Fernet keys on an existing cluster, this
+# would overwrite existing keys, and invalidate tokens created from them.
+- name: Fail if any hosts need bootstrapping and not all hosts targeted
+  fail:
+    msg: >
+      Some hosts ({{ groups['keystone_fernet_bootstrap'] | join(', ') }}) need
+      Fernet key bootstrapping, but not all Keystone hosts are in the target
+      list. Stopping as it may be unsafe to proceed. Please run without --limit
+      or --serial to bootstrap these hosts.
+  when:
+    - groups['keystone_fernet_running'] is not defined
+    - groups['keystone'] | difference(ansible_play_batch) | list | length > 0
+
 - name: Running Keystone bootstrap container
   vars:
     keystone: "{{ keystone_services.keystone }}"
diff --git a/releasenotes/notes/prevent-keystone-bootstrap-limit-f0250725633c16de.yaml b/releasenotes/notes/prevent-keystone-bootstrap-limit-f0250725633c16de.yaml
new file mode 100644
index 0000000000..90f35d520e
--- /dev/null
+++ b/releasenotes/notes/prevent-keystone-bootstrap-limit-f0250725633c16de.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Prevents adding a new Keystone host to an existing cluster when not
+    targeting all Keystone hosts (e.g. due to ``--limit`` or ``--serial``
+    arguments), to avoid overwriting existing Fernet keys. `LP#1891364
+    <https://bugs.launchpad.net/kolla-ansible/+bug/1891364>`__