diff --git a/glance/templates/configmap-etc.yaml b/glance/templates/configmap-etc.yaml
index 3c922db44c..28d3b93186 100644
--- a/glance/templates/configmap-etc.yaml
+++ b/glance/templates/configmap-etc.yaml
@@ -170,5 +170,6 @@ data:
   glance-registry.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.glance_registry | b64enc }}
   glance-registry-paste.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste_registry | b64enc }}
   policy.json: {{ toJson .Values.conf.policy | b64enc }}
+  api_audit_map.conf: {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.api_audit_map | b64enc }}
 {{- include "helm-toolkit.snippets.values_template_renderer" ( dict "envAll" $envAll "template" .Values.conf.swift_store "key" "swift-store.conf" "format" "Secret" ) | indent 2 }}
 {{- end }}
diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml
index 17b6487e75..21172f40e2 100644
--- a/glance/templates/deployment-api.yaml
+++ b/glance/templates/deployment-api.yaml
@@ -135,6 +135,10 @@ spec:
               mountPath: /etc/glance/policy.json
               subPath: policy.json
               readOnly: true
+            - name: glance-etc
+              mountPath: /etc/glance/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
             - name: glance-etc
               mountPath: {{ .Values.conf.glance.glance_store.swift_store_config_file }}
               subPath: swift-store.conf
diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml
index 25f90d78d6..c83962dcd1 100644
--- a/glance/templates/deployment-registry.yaml
+++ b/glance/templates/deployment-registry.yaml
@@ -90,6 +90,10 @@ spec:
               mountPath: /etc/glance/glance-registry.conf
               subPath: glance-registry.conf
               readOnly: true
+            - name: glance-etc
+              mountPath: /etc/glance/api_audit_map.conf
+              subPath: api_audit_map.conf
+              readOnly: true
             - name: glance-etc
               mountPath: {{ .Values.conf.glance.DEFAULT.log_config_append }}
               subPath: {{ base .Values.conf.glance.DEFAULT.log_config_append }}
diff --git a/glance/values.yaml b/glance/values.yaml
index 7ed82dba72..28677b090e 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -164,11 +164,11 @@ conf:
     pipeline:glance-api-cachemanagement:
       pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
     pipeline:glance-api-keystone:
-      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context  rootapp
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context  rootapp
     pipeline:glance-api-keystone+caching:
-      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache rootapp
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context cache rootapp
     pipeline:glance-api-keystone+cachemanagement:
-      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken context cache cachemanage rootapp
+      pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler authtoken audit context cache cachemanage rootapp
     pipeline:glance-api-trusted-auth:
       pipeline: cors healthcheck http_proxy_to_wsgi versionnegotiation osprofiler context rootapp
     pipeline:glance-api-trusted-auth+cachemanagement:
@@ -201,6 +201,9 @@ conf:
     filter:authtoken:
       paste.filter_factory: keystonemiddleware.auth_token:filter_factory
       delay_auth_decision: true
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/glance/api_audit_map.conf
     filter:gzip:
       paste.filter_factory: glance.api.middleware.gzip:GzipMiddleware.factory
     filter:osprofiler:
@@ -356,11 +359,22 @@ conf:
     formatter_default:
       format: "%(message)s"
       datefmt: "%Y-%m-%d %H:%M:%S"
+  api_audit_map:
+    DEFAULT:
+      target_endpoint_type: None
+    path_keywords:
+      detail: None
+      file: None
+      images: image
+      members: member
+      tags: tag
+    service_endpoints:
+      image: 'service/storage/image'
   paste_registry:
     pipeline:glance-registry:
       pipeline: healthcheck osprofiler unauthenticated-context registryapp
     pipeline:glance-registry-keystone:
-      pipeline: healthcheck osprofiler authtoken context registryapp
+      pipeline: healthcheck osprofiler authtoken audit context registryapp
     pipeline:glance-registry-trusted-auth:
       pipeline: healthcheck osprofiler context registryapp
     app:registryapp:
@@ -379,6 +393,9 @@ conf:
       paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
       hmac_keys: SECRET_KEY  # DEPRECATED
       enabled: yes  # DEPRECATED
+    filter:audit:
+      paste.filter_factory: keystonemiddleware.audit:filter_factory
+      audit_map_file: /etc/glance/api_audit_map.conf
   glance_registry:
     DEFAULT:
       # NOTE(portdirect): the bind port should not be defined, and is manipulated