diff --git a/tasks/octavia_policy.yml b/tasks/octavia_policy.yml
index 1f6e4d49..953c35ee 100644
--- a/tasks/octavia_policy.yml
+++ b/tasks/octavia_policy.yml
@@ -13,30 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Create load-balancer_observer role
-  keystone:
-    command: "ensure_role"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    region_name: "{{ octavia_service_region }}"
-    service_name: "{{ octavia_service_name }}"
-    service_type: "{{ octavia_service_type }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-    role_name: "{{ item }}"
-  register: add_role
-  until: add_role is success
-  retries: 5
-  delay: 10
-  no_log: True
-  with_items:
-    - load-balancer_observer
-    - load-balancer_global_observer
-    - load-balancer_member
-    - load-balancer_admin
-    - load-balancer_quota_admin
-
 - name: Set legacy role policies
   config_template:
     src: policy.json.j2
diff --git a/tasks/octavia_service_add.yml b/tasks/octavia_service_add.yml
index 3029ac9f..28c0cc6b 100644
--- a/tasks/octavia_service_add.yml
+++ b/tasks/octavia_service_add.yml
@@ -93,3 +93,16 @@
           url: "{{ octavia_service_adminuri }}"
       when: octavia_v2 | bool
 
+    - name: Create service roles
+      os_keystone_role:
+        cloud: default
+        state: present
+        name: "{{ item }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      with_items:
+        - load-balancer_observer
+        - load-balancer_global_observer
+        - load-balancer_member
+        - load-balancer_admin
+        - load-balancer_quota_admin