diff --git a/heat/values.yaml b/heat/values.yaml
index bb9c9f99ee..64f617e2de 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -283,10 +283,17 @@ network:
       port: 30003
 
 bootstrap:
-  enabled: false
-  ks_user: heat
+  enabled: true
+  ks_user: admin
   script: |
-    openstack token issue
+    #NOTE(portdirect): required for all users who operate heat stacks
+    openstack role create --or-show heat_stack_owner
+
+    #NOTE(portdirect): The Orchestration service automatically assigns the
+    # 'heat_stack_user' role to users that it creates during stack deployment.
+    # By default, this role restricts API operations. To avoid conflicts, do
+    # not add this role to users with the heat_stack_owner role.
+    openstack role create --or-show heat_stack_user
 
 dependencies:
   static:
@@ -421,7 +428,9 @@ endpoints:
         user_domain_name: default
         project_domain_name: default
       heat:
-        role: admin
+        role:
+          - admin
+          - heat_stack_owner
         region_name: RegionOne
         username: heat
         password: password
diff --git a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
index dce11eb213..c4908637cd 100644
--- a/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
+++ b/helm-toolkit/templates/manifests/_job-ks-user.yaml.tpl
@@ -68,8 +68,13 @@ spec:
 {{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
 {{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
 {{- end }}
-            - name: SERVICE_OS_ROLE
-              value: {{ index $envAll.Values.endpoints.identity.auth $serviceUser "role" | quote }}
+            - name: SERVICE_OS_ROLES
+            {{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
+            {{- if kindIs "slice" $serviceOsRoles }}
+              value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
+            {{- else }}
+              value: {{ $serviceOsRoles | quote }}
+            {{- end }}
       volumes:
         - name: ks-user-sh
           configMap:
diff --git a/helm-toolkit/templates/scripts/_ks-user.sh.tpl b/helm-toolkit/templates/scripts/_ks-user.sh.tpl
index 1b61371bd2..72b81fc716 100644
--- a/helm-toolkit/templates/scripts/_ks-user.sh.tpl
+++ b/helm-toolkit/templates/scripts/_ks-user.sh.tpl
@@ -76,6 +76,10 @@ openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
 openstack user show "${USER_ID}"
 
 function ks_assign_user_role () {
+  # Get user role
+  USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
+      "${SERVICE_OS_ROLE}");
+
   # Manage user role assignment
   openstack role add \
       --user="${USER_ID}" \
@@ -92,9 +96,10 @@ function ks_assign_user_role () {
 }
 
 # Manage user service role
-export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
-    "${SERVICE_OS_ROLE}");
-ks_assign_user_role
+IFS=','
+for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
+  ks_assign_user_role
+done
 
 # Manage user member role
 : ${MEMBER_OS_ROLE:="_member_"}
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 4941c3160f..0a6e39d78f 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -56,6 +56,15 @@ bootstrap:
           --project="${OS_PROJECT_NAME}" \
           "_member_"
 
+    #NOTE(portdirect): required for all users who operate heat stacks
+    openstack role create --or-show heat_stack_owner
+    openstack role add \
+          --user="${OS_USERNAME}" \
+          --user-domain="${OS_USER_DOMAIN_NAME}" \
+          --project-domain="${OS_PROJECT_DOMAIN_NAME}" \
+          --project="${OS_PROJECT_NAME}" \
+          "heat_stack_owner"
+
 network:
   api:
     ingress: