diff --git a/heat/templates/bin/_trusts.sh.tpl b/heat/templates/bin/_trusts.sh.tpl
new file mode 100644
index 0000000000..0e1e2e5ea1
--- /dev/null
+++ b/heat/templates/bin/_trusts.sh.tpl
@@ -0,0 +1,49 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+
+set -ex
+
+# Get IDs for filtering
+OS_PROJECT_ID=$(openstack project show -f value -c id ${OS_PROJECT_NAME})
+OS_USER_ID=$(openstack user show -f value -c id ${OS_USERNAME})
+SERVICE_OS_TRUSTEE_ID=$(openstack user show -f value -c id ${SERVICE_OS_TRUSTEE})
+
+# Check if trust doesn't already exist
+openstack trust list -f value -c "Project ID" \
+          -c "Trustee User ID" -c "Trustor User ID" | \
+          grep "^${OS_PROJECT_ID} ${SERVICE_OS_TRUSTEE_ID} ${OS_USER_ID}$" && \
+          exit 0
+
+# If there are no roles specified...
+if [ -z "${SERVICE_OS_ROLES}" ]; then
+    # ...Heat will try to delegate all of the roles that user has in the
+    # project. Let's fetch them all and use that.
+    readarray -t roles < <(openstack role assignment list -f value \
+            -c "Role" --user="${OS_USERNAME}" --project="${OS_PROJECT_ID}")
+else
+    # Split roles into an array
+    IFS=',' read -r -a roles <<< "${SERVICE_OS_ROLES}"
+fi
+
+# Create trust between trustor and trustee
+SERVICE_OS_TRUST_ID=$(openstack trust create -f value -c id \
+          --project="${OS_PROJECT_NAME}" \
+          ${roles[@]/#/--role=} \
+          "${OS_USERNAME}" \
+          "${SERVICE_OS_TRUSTEE}")
+
+# Display trust
+openstack trust show "${SERVICE_OS_TRUST_ID}"
diff --git a/heat/templates/configmap-bin.yaml b/heat/templates/configmap-bin.yaml
index f1373fd6ca..a913b23ed2 100644
--- a/heat/templates/configmap-bin.yaml
+++ b/heat/templates/configmap-bin.yaml
@@ -38,6 +38,8 @@ data:
 {{- include "helm-toolkit.scripts.keystone_user" . | indent 4 }}
   ks-domain-user.sh: |+
 {{- include "helm-toolkit.scripts.keystone_domain_user" . | indent 4 }}
+  trusts.sh: |+
+{{ tuple "bin/_trusts.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   heat-api.sh: |
 {{ tuple "bin/_heat-api.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   heat-cfn.sh: |
diff --git a/heat/templates/job-trusts.yaml b/heat/templates/job-trusts.yaml
new file mode 100644
index 0000000000..14f7b2ab22
--- /dev/null
+++ b/heat/templates/job-trusts.yaml
@@ -0,0 +1,54 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.trusts }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: heat-trusts
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+      initContainers:
+{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+      containers:
+        - name: heat-trusts
+          image: {{ $envAll.Values.images.ks_service }}
+          imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.trusts | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - bash
+            - /tmp/trusts.sh
+          volumeMounts:
+            - name: heat-bin
+              mountPath: /tmp/trusts.sh
+              subPath: trusts.sh
+              readOnly: true
+          env:
+{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
+{{- end }}
+            - name: SERVICE_OS_ROLES
+              value: {{ .Values.conf.heat.default.heat.common.config.trusts_delegated_roles }}
+            - name: SERVICE_OS_TRUSTEE
+              value: {{ .Values.endpoints.identity.auth.trustee.username }}
+      volumes:
+        - name: heat-bin
+          configMap:
+            name: heat-bin
diff --git a/heat/values.yaml b/heat/values.yaml
index 0fc275ec88..2f8304cc1c 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Default values for keystone.
+# Default values for heat.
 # This is a YAML-formatted file.
 # Declare name/value pairs to be passed into your templates.
 # name: value
@@ -52,7 +52,7 @@ conf:
         common:
           config:
             num_engine_workers: 4
-            trusts_delegated_roles: _member_
+            trusts_delegated_roles: ""
     keystone_authtoken:
       keystonemiddleware:
         auth_token:
@@ -62,7 +62,6 @@ conf:
       heat:
         common:
           context:
-            auth_section: trustee
             auth_type: password
             auth_version: v3
     heat_api:
@@ -148,6 +147,12 @@ dependencies:
     services:
     - service: identity
       endpoint: internal
+  trusts:
+    jobs:
+    - heat-ks-user
+    services:
+    - service: identity
+      endpoint: internal
   api:
     jobs:
     - heat-db-sync
@@ -233,7 +238,7 @@ endpoints:
       stack_user:
         role: admin
         region_name: RegionOne
-        username: heat-trust
+        username: heat-domain
         password: password
         domain_name: heat
     hosts:
@@ -456,6 +461,13 @@ pod:
         limits:
           memory: "1024Mi"
           cpu: "2000m"
+      trusts:
+        requests:
+          memory: "124Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
 
 manifests:
   configmap_bin: true
diff --git a/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl b/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
index 6531e92686..e80c0f6963 100644
--- a/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
+++ b/helm-toolkit/templates/scripts/_ks-domain-user.sh.tpl
@@ -56,9 +56,7 @@ openstack user show "${SERVICE_OS_USERID}"
 
 # Manage role
 SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
-    --domain="${SERVICE_OS_DOMAIN_ID}" \
     "${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
-    --domain="${SERVICE_OS_DOMAIN_ID}" \
     "${SERVICE_OS_ROLE}" )
 
 # Manage user role assignment