diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index d72cf1d1e..4650c680a 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -71,6 +71,14 @@
 #   (optional) Whether to create the v3 endpoint.
 #   Defaults to true
 #
+# [*configure_user*]
+#   (optional) Whether to create the service user.
+#   Defaults to true
+#
+# [*configure_user_role*]
+#   (optional) Whether to configure the admin role for the service user.
+#   Defaults to true
+#
 # [*cinder*]
 #   (optional) Deprecated and has no effect
 #   Defaults to undef
@@ -105,6 +113,8 @@ class nova::keystone::auth(
   $public_protocol        = 'http',
   $configure_endpoint     = true,
   $configure_endpoint_v3  = true,
+  $configure_user         = true,
+  $configure_user_role    = true,
   $admin_protocol         = 'http',
   $internal_protocol      = 'http'
 ) {
@@ -127,16 +137,22 @@ class nova::keystone::auth(
 
   Keystone_endpoint["${region}/${real_service_name}"] ~> Service <| name == 'nova-api' |>
 
-  keystone_user { $auth_name:
-    ensure   => present,
-    password => $password,
-    email    => $email,
-    tenant   => $tenant,
+  if $configure_user {
+    keystone_user { $auth_name:
+      ensure   => present,
+      password => $password,
+      email    => $email,
+      tenant   => $tenant,
+    }
   }
-  keystone_user_role { "${auth_name}@${tenant}":
-    ensure  => present,
-    roles   => 'admin',
+
+  if $configure_user_role {
+    keystone_user_role { "${auth_name}@${tenant}":
+      ensure => present,
+      roles  => 'admin',
+    }
   }
+
   keystone_service { $real_service_name:
     ensure      => present,
     type        => 'compute',
diff --git a/spec/classes/nova_keystone_endpoint_spec.rb b/spec/classes/nova_keystone_endpoint_spec.rb
index 6beb46cd9..7b515e4f0 100644
--- a/spec/classes/nova_keystone_endpoint_spec.rb
+++ b/spec/classes/nova_keystone_endpoint_spec.rb
@@ -137,6 +137,42 @@ describe 'nova::keystone::auth' do
     it { should_not contain_keystone_endpoint('RegionOne/nova_ec2') }
   end
 
+  describe 'when disabling user configuration' do
+    before do
+      params.merge!( :configure_user => false )
+    end
+
+    it { should_not contain_keystone_user('nova') }
+
+    it { should contain_keystone_user_role('nova@services') }
+
+    it { should contain_keystone_service('nova').with(
+      :ensure => 'present',
+      :type        => 'compute',
+      :description => 'Openstack Compute Service'
+    )}
+  end
+
+  describe 'when disabling user and user role configuration' do
+    let :params do
+      {
+        :configure_user      => false,
+        :configure_user_role => false,
+        :password            => 'nova_password'
+      }
+    end
+
+    it { should_not contain_keystone_user('nova') }
+
+    it { should_not contain_keystone_user_role('nova@services') }
+
+    it { should contain_keystone_service('nova').with(
+      :ensure => 'present',
+      :type        => 'compute',
+      :description => 'Openstack Compute Service'
+    )}
+  end
+
   describe 'when configuring nova-api and the keystone endpoint' do
     let :pre_condition do
       "class { 'nova::api': admin_password => 'test' }