diff --git a/templates/cinderapi/config/01-service-defaults.conf b/templates/cinderapi/config/01-service-defaults.conf
index e67156c5..b340dbcd 100644
--- a/templates/cinderapi/config/01-service-defaults.conf
+++ b/templates/cinderapi/config/01-service-defaults.conf
@@ -1,2 +1,9 @@
 [DEFAULT]
 log_file = {{ .LogFile }}
+
+[keystone_authtoken]
+# This is part of hardening related to CVE-2023-2088
+# when enabled the service token user must have the service role to be considered valid.
+# cinder already checks for this, explicitly in the case of the attchment API even when
+# this is not enforced for all service token validation.
+service_token_roles_required = true
\ No newline at end of file