diff --git a/defaults/main.yml b/defaults/main.yml
index 8ab2c675..2dc19a5c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -108,7 +108,12 @@ ironic_service_region: "{{ service_region | default('RegionOne') }}"
 ironic_service_project_name: "service"
 ironic_service_project_domain_id: default
 ironic_service_user_domain_id: default
-ironic_service_role_name: "admin"
+ironic_service_role_names:
+  - admin
+  - service
+ironic_service_token_roles:
+  - service
+ironic_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 ironic_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
 
 # Ironic image store information
@@ -311,7 +316,12 @@ ironic_inspector_service_adminuri: "{{ ironic_inspector_service_adminuri_proto }
 ironic_inspector_service_adminurl: "{{ ironic_inspector_service_adminuri }}"
 ironic_inspector_service_internaluri: "{{ ironic_inspector_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ ironic_inspector_service_port }}"
 ironic_inspector_service_internalurl: "{{ ironic_inspector_service_internaluri }}"
-ironic_inspector_service_role_name: "admin"
+ironic_inspector_service_role_names:
+  - admin
+  - service
+ironic_inspector_service_token_roles:
+  - service
+ironic_inspector_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 ironic_inspector_service_project_name: "service"
 ironic_inspector_service_in_ldap: "{{ service_ldap_backend_enabled | default(False) }}"
 ironic_inspector_service_domain_id: default
diff --git a/templates/inspector.conf.j2 b/templates/inspector.conf.j2
index 6b7f0447..2bb77ebb 100644
--- a/templates/inspector.conf.j2
+++ b/templates/inspector.conf.j2
@@ -62,6 +62,11 @@ project_name = "service"
 username = ironic_inspector
 password = {{ ironic_inspector_service_password }}
 region_name = {{ keystone_service_region }}
+
+service_token_roles = {{ ironic_inspector_service_token_roles | join(',') }}
+service_token_roles_required = {{ ironic_inspector_service_token_roles_required | bool }}
+service_type = {{ ironic_inspector_service_type }}
+
 memcached_servers = {{ memcached_servers }}
 # if your memcached server is shared, use these settings to avoid cache poisoning
 memcache_security_strategy = ENCRYPT
diff --git a/templates/ironic.conf.j2 b/templates/ironic.conf.j2
index e7b5a253..472ff305 100644
--- a/templates/ironic.conf.j2
+++ b/templates/ironic.conf.j2
@@ -128,6 +128,10 @@ username = {{ ironic_service_user_name }}
 password = {{ ironic_service_password }}
 region_name = {{ keystone_service_region }}
 
+service_token_roles = {{ ironic_service_token_roles | join(',') }}
+service_token_roles_required = {{ ironic_service_token_roles_required | bool }}
+service_type = {{ ironic_service_type }}
+
 memcached_servers = {{ ironic_memcached_servers }}
 
 token_cache_time = 300
diff --git a/vars/main.yml b/vars/main.yml
index c54c1468..c3fa7eb2 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -147,7 +147,7 @@ ironic_service_user_list: >
           {
             'name': ironic_service_user_name,
             'password': ironic_service_password,
-            'role': ironic_service_role_name
+            'role': ironic_service_role_names
           }
         )
   %}
@@ -157,7 +157,7 @@ ironic_service_user_list: >
           {
             'name': ironic_inspector_service_user_name,
             'password': ironic_inspector_service_password,
-            'role': ironic_inspector_service_role_name
+            'role': ironic_inspector_service_role_names
           }
         )
   %}