diff --git a/manifests/engine.pp b/manifests/engine.pp
index 2238d6cfe..02c94cb8d 100644
--- a/manifests/engine.pp
+++ b/manifests/engine.pp
@@ -35,7 +35,19 @@
 #    used for stack locking
 #    Defaults to '2'
 #
-
+#  [*trusts_delegated_roles*]
+#    (optional) Array of trustor roles to be delegated to heat.
+#    Defaults to ['heat_stack_owner']
+#
+#  [*deferred_auth_method*]
+#    (optional) Select deferred auth method.
+#    Can be "password" or "trusts".
+#    Defaults to 'trusts'
+#
+#  [*configure_delegated_roles*]
+#    (optional) Whether to configure the delegated roles.
+#    Defaults to true
+#
 class heat::engine (
   $auth_encryption_key,
   $manage_service                = true,
@@ -44,7 +56,10 @@
   $heat_metadata_server_url      = 'http://127.0.0.1:8000',
   $heat_waitcondition_server_url = 'http://127.0.0.1:8000/v1/waitcondition',
   $heat_watch_server_url         = 'http://127.0.0.1:8003',
-  $engine_life_check_timeout     = '2'
+  $engine_life_check_timeout     = '2',
+  $trusts_delegated_roles        = ['heat_stack_owner'],
+  $deferred_auth_method          = 'trusts',
+  $configure_delegated_roles     = true,
 ) {
 
   include heat::params
@@ -66,6 +81,12 @@
     }
   }
 
+  if $configure_delegated_roles {
+    keystone_role { $trusts_delegated_roles:
+      ensure => present,
+    }
+  }
+
   service { 'heat-engine':
     ensure     => $service_ensure,
     name       => $::heat::params::engine_service_name,
@@ -85,5 +106,7 @@
     'DEFAULT/heat_waitcondition_server_url': value => $heat_waitcondition_server_url;
     'DEFAULT/heat_watch_server_url'        : value => $heat_watch_server_url;
     'DEFAULT/engine_life_check_timeout'    : value => $engine_life_check_timeout;
+    'DEFAULT/trusts_delegated_roles'       : value => $trusts_delegated_roles;
+    'DEFAULT/deferred_auth_method'         : value => $deferred_auth_method;
   }
 }
diff --git a/spec/classes/heat_engine_spec.rb b/spec/classes/heat_engine_spec.rb
index d4639ba84..734c7909b 100644
--- a/spec/classes/heat_engine_spec.rb
+++ b/spec/classes/heat_engine_spec.rb
@@ -10,6 +10,8 @@
       :heat_waitcondition_server_url => 'http://127.0.0.1:8000/v1/waitcondition',
       :heat_watch_server_url         => 'http://128.0.0.1:8003',
       :engine_life_check_timeout     => '2',
+      :trusts_delegated_roles        => ['heat_stack_owner'],
+      :deferred_auth_method          => 'trusts',
     }
   end
 
@@ -24,6 +26,9 @@
         :heat_waitcondition_server_url => 'http://127.0.0.1:8000/v1/waitcondition',
         :heat_watch_server_url         => 'http://128.0.0.1:8003',
         :engine_life_check_timeout     => '2',
+        :trusts_delegated_roles        => ['role1', 'role2'],
+        :deferred_auth_method          => 'trusts',
+        :configure_delegated_roles     => true,
       }
     ].each do |new_params|
       describe 'when #{param_set == {} ? "using default" : "specifying"} parameters'
@@ -56,6 +61,17 @@
       it { should contain_heat_config('DEFAULT/heat_waitcondition_server_url').with_value( expected_params[:heat_waitcondition_server_url] ) }
       it { should contain_heat_config('DEFAULT/heat_watch_server_url').with_value( expected_params[:heat_watch_server_url] ) }
       it { should contain_heat_config('DEFAULT/engine_life_check_timeout').with_value( expected_params[:engine_life_check_timeout] ) }
+      it { should contain_heat_config('DEFAULT/trusts_delegated_roles').with_value( expected_params[:trusts_delegated_roles] ) }
+      it { should contain_heat_config('DEFAULT/deferred_auth_method').with_value( expected_params[:deferred_auth_method] ) }
+
+      it 'configures delegated roles' do
+        should contain_keystone_role("role1").with(
+          :ensure  => 'present'
+        )
+        should contain_keystone_role("role2").with(
+          :ensure  => 'present'
+        )
+      end
     end
 
     context 'with disabled service managing' do