diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp
index 1ac23f9c..da652c68 100644
--- a/manifests/keystone/auth.pp
+++ b/manifests/keystone/auth.pp
@@ -39,6 +39,14 @@
 #   (optional) Whether to create the S3 endpoint.
 #   Defaults to true
 #
+# [*configure_user*]
+#   (Optional) Whether to create the service user.
+#   Defaults to 'true'.
+#
+# [*configure_user_role*]
+#   (Optional) Whether to configure the admin role for the service user.
+#   Defaults to 'true'.
+#
 # [*service_name*]
 #   (optional) Name of the service.
 #   Defaults to the value of auth_name, but must differ from the value
@@ -155,6 +163,8 @@ class swift::keystone::auth(
   $service_description_s3 = 'Openstack S3 Service',
   $configure_endpoint     = true,
   $configure_s3_endpoint  = true,
+  $configure_user         = true,
+  $configure_user_role    = true,
   $public_url             = 'http://127.0.0.1:8080/v1/AUTH_%(tenant_id)s',
   $admin_url              = 'http://127.0.0.1:8080',
   $internal_url           = 'http://127.0.0.1:8080/v1/AUTH_%(tenant_id)s',
@@ -274,6 +284,8 @@ class swift::keystone::auth(
 
   keystone::resource::service_identity { 'swift':
     configure_endpoint  => $configure_endpoint,
+    configure_user      => $configure_user,
+    configure_user_role => $configure_user_role,
     service_name        => $real_service_name,
     service_type        => 'object-store',
     service_description => $service_description,
@@ -307,6 +319,8 @@ class swift::keystone::auth(
   }
 
   # Backward compatibility
-  Keystone_user[$auth_name] -> Keystone_user_role["${auth_name}@${tenant}"]
+  if $configure_user {
+    Keystone_user[$auth_name] -> Keystone_user_role["${auth_name}@${tenant}"]
+  }
 
 }
diff --git a/spec/classes/swift_keystone_auth_spec.rb b/spec/classes/swift_keystone_auth_spec.rb
index b4479c03..b23fee82 100644
--- a/spec/classes/swift_keystone_auth_spec.rb
+++ b/spec/classes/swift_keystone_auth_spec.rb
@@ -135,28 +135,63 @@ describe 'swift::keystone::auth' do
       default_params.merge( params )
     end
 
-    it { is_expected.to contain_keystone_user(p[:auth_name]).with(
-      :ensure   => 'present',
-      :password => p[:password],
-      :email    => p[:email]
-    )}
+    context 'when user configuration is set to default' do
+      it { is_expected.to contain_keystone_user(p[:auth_name]).with(
+        :ensure   => 'present',
+        :password => p[:password],
+        :email    => p[:email]
+      )}
 
-    it { is_expected.to contain_keystone_user_role("#{p[:auth_name]}@#{p[:tenant]}").with(
-      :ensure  => 'present',
-      :roles   => ['admin'],
-    )}
+      it { is_expected.to contain_keystone_user_role("#{p[:auth_name]}@#{p[:tenant]}").with(
+        :ensure  => 'present',
+        :roles   => ['admin'],
+      )}
 
-    it { is_expected.to contain_keystone_service("#{p[:auth_name]}::object-store").with(
-      :ensure      => 'present',
-      :type        => 'object-store',
-      :description => 'Openstack Object-Store Service'
-    )}
+      it { is_expected.to contain_keystone_service("#{p[:auth_name]}::object-store").with(
+        :ensure      => 'present',
+        :type        => 'object-store',
+        :description => 'Openstack Object-Store Service'
+      )}
 
-    it { is_expected.to contain_keystone_service("#{p[:auth_name]}_s3::s3").with(
-    :ensure      => 'present',
-    :type        => 's3',
-    :description => 'Openstack S3 Service'
-    )}
+      it { is_expected.to contain_keystone_service("#{p[:auth_name]}_s3::s3").with(
+        :ensure      => 'present',
+        :type        => 's3',
+        :description => 'Openstack S3 Service'
+      )}
+    end
+
+    context 'when user configuration is disabled' do
+      before do
+        params.merge!( :configure_user => false )
+      end
+
+      it { is_expected.to_not contain_keystone_user(p[:auth_name]) }
+      it { is_expected.to contain_keystone_user_role("#{p[:auth_name]}@#{p[:tenant]}") }
+
+      it { is_expected.to contain_keystone_service("#{p[:auth_name]}::object-store").with(
+        :ensure       => 'present',
+        :type         => 'object-store',
+        :description  => 'Openstack Object-Store Service'
+        )}
+    end
+
+    context 'when disabling user and role configuration' do
+      before do
+        params.merge!(
+          :configure_user       => false,
+          :configure_user_role  => false
+        )
+      end
+
+        it { is_expected.to_not contain_keystone_user(p[:auth_name]) }
+        it { is_expected.to_not contain_keystone_user_role("#{p[:auth_name]}@#{p[:tenant]}") }
+
+        it { is_expected.to contain_keystone_service("#{p[:auth_name]}::object-store").with(
+          :ensure       => 'present',
+          :type         => 'object-store',
+          :description  => 'Openstack Object-Store Service'
+        )}
+     end
   end
 
   context 'on Debian platforms' do