diff --git a/inventory/group_vars/all/keystone.yml b/inventory/group_vars/all/keystone.yml
index 84d83a712b..f82f1022a7 100644
--- a/inventory/group_vars/all/keystone.yml
+++ b/inventory/group_vars/all/keystone.yml
@@ -40,6 +40,3 @@ keystone_service_publicuri_insecure: False
 
 keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_publicurl: "{{ keystone_service_publicuri }}/v3"
-
-# NOTE(noonedeadpunk): Drop variable after Y release. Placed for upgrade purposes only
-openstack_service_token_roles_required: False
diff --git a/releasenotes/notes/service_token_roles_required-5d0dce2878775b23.yaml b/releasenotes/notes/service_token_roles_required-5d0dce2878775b23.yaml
new file mode 100644
index 0000000000..f005cd5c25
--- /dev/null
+++ b/releasenotes/notes/service_token_roles_required-5d0dce2878775b23.yaml
@@ -0,0 +1,8 @@
+---
+upgrade:
+  - |
+    Since Yoga release ``service`` role is being assigned to all service users.
+    Though, service_token_roles_required was set to ``False`` for upgrade
+    purposes. Now ``service_token_roles_required`` is set to ``True`` by
+    default. If you still want to preserve old behaviour, you can define
+    ``openstack_service_token_roles_required: False`` in your user_variables.