diff --git a/ec2api/api/__init__.py b/ec2api/api/__init__.py
index 56d61c6d..2ece0940 100644
--- a/ec2api/api/__init__.py
+++ b/ec2api/api/__init__.py
@@ -46,13 +46,6 @@ from ec2api import wsgi
 LOG = logging.getLogger(__name__)
 
 ec2_opts = [
-    cfg.StrOpt('keystone_url',
-               default='http://localhost:5000/',
-               deprecated_for_removal=True,
-               deprecated_reason='code was switched to common section '
-                                 '"keystone_authtoken"',
-               deprecated_since='Newton',
-               help='URL for getting admin session.'),
     cfg.StrOpt('keystone_ec2_tokens_url',
                default='http://localhost:5000/v3/ec2tokens',
                help='URL to authenticate token from ec2 request.'),
diff --git a/ec2api/clients.py b/ec2api/clients.py
index c570088b..184652ad 100644
--- a/ec2api/clients.py
+++ b/ec2api/clients.py
@@ -15,34 +15,16 @@
 from cinderclient import client as cinderclient
 from glanceclient import client as glanceclient
 from keystoneauth1 import loading as ks_loading
-from keystoneclient.auth.identity.generic import password as keystone_auth
 from keystoneclient import client as keystoneclient
-from keystoneclient import session as keystone_session
 from neutronclient.v2_0 import client as neutronclient
 from novaclient import api_versions as nova_api_versions
 from novaclient import client as novaclient
 from oslo_config import cfg
 from oslo_log import log as logging
 
-from ec2api.i18n import _
-
 logger = logging.getLogger(__name__)
 
 ec2_opts = [
-    cfg.BoolOpt('ssl_insecure',
-                default=False,
-                deprecated_for_removal=True,
-                deprecated_reason='code was switched to common section '
-                                  '"keystone_authtoken"',
-                deprecated_since='Newton',
-                help="Verify HTTPS connections."),
-    cfg.StrOpt('ssl_ca_file',
-               deprecated_for_removal=True,
-               deprecated_reason='code was switched to common section '
-                                 '"keystone_authtoken"',
-               deprecated_since='Newton',
-               help="CA certificate file to use to verify "
-                    "connecting clients"),
     cfg.StrOpt('nova_service_type',
                default='compute',
                help='Service type of Compute API, registered in Keystone '
@@ -53,25 +35,6 @@ ec2_opts = [
                default='volumev2',
                help='Service type of Volume API, registered in Keystone '
                     'catalog.'),
-    cfg.StrOpt('admin_user',
-               deprecated_for_removal=True,
-               deprecated_reason='code was switched to common section '
-                                 '"keystone_authtoken"',
-               deprecated_since='Newton',
-               help=_("Admin user to access specific cloud resourses")),
-    cfg.StrOpt('admin_password',
-               deprecated_for_removal=True,
-               deprecated_reason='code was switched to common section '
-                                 '"keystone_authtoken"',
-               deprecated_since='Newton',
-               help=_("Admin password"),
-               secret=True),
-    cfg.StrOpt('admin_tenant_name',
-               deprecated_for_removal=True,
-               deprecated_reason='code was switched to common section '
-                                 '"keystone_authtoken"',
-               deprecated_since='Newton',
-               help=_("Admin tenant name")),
 ]
 
 CONF = cfg.CONF
@@ -179,41 +142,22 @@ def _get_nova_api_version(context):
 _admin_session = None
 
 
-def get_session_from_deprecated():
-    auth = keystone_auth.Password(
-        username=CONF.admin_user,
-        password=CONF.admin_password,
-        project_name=CONF.admin_tenant_name,
-        tenant_name=CONF.admin_tenant_name,
-        auth_url=CONF.keystone_url,
-    )
-    params = {'auth': auth}
-    update_request_params_with_ssl(params)
-    return keystone_session.Session(**params)
-
-
 def get_os_admin_session():
     """Create a context to interact with OpenStack as an administrator."""
     # NOTE(ft): this is a singletone because keystone's session looks thread
     # safe for both regular and token renewal requests
     global _admin_session
     if not _admin_session:
-        if not CONF[GROUP_AUTHTOKEN].auth_type:
-            _admin_session = get_session_from_deprecated()
-        else:
-            auth_plugin = ks_loading.load_auth_from_conf_options(
-                CONF, GROUP_AUTHTOKEN)
-            _admin_session = ks_loading.load_session_from_conf_options(
-                CONF, GROUP_AUTHTOKEN, auth=auth_plugin)
+        auth_plugin = ks_loading.load_auth_from_conf_options(
+            CONF, GROUP_AUTHTOKEN)
+        _admin_session = ks_loading.load_session_from_conf_options(
+            CONF, GROUP_AUTHTOKEN, auth=auth_plugin)
 
     return _admin_session
 
 
 def update_request_params_with_ssl(params):
-    if not CONF[GROUP_AUTHTOKEN].auth_type:
-        verify = CONF.ssl_ca_file or not CONF.ssl_insecure
-    else:
-        verify = (CONF[GROUP_AUTHTOKEN].cafile or
-                  not CONF[GROUP_AUTHTOKEN].insecure)
+    verify = (CONF[GROUP_AUTHTOKEN].cafile or
+              not CONF[GROUP_AUTHTOKEN].insecure)
     if verify is not True:
         params['verify'] = verify
diff --git a/ec2api/tests/unit/test_context.py b/ec2api/tests/unit/test_context.py
index a007e2f7..44897f6e 100644
--- a/ec2api/tests/unit/test_context.py
+++ b/ec2api/tests/unit/test_context.py
@@ -24,7 +24,6 @@ from ec2api import clients
 from ec2api import context as ec2_context
 
 
-cfg.CONF.import_opt('keystone_url', 'ec2api.api')
 GROUP_AUTHTOKEN = 'keystone_authtoken'
 
 
@@ -63,41 +62,3 @@ class ContextTestCase(test_base.BaseTestCase):
         session.reset_mock()
         ec2_context.get_os_admin_context()
         self.assertFalse(session.called)
-
-    @mock.patch('keystoneclient.auth.identity.generic.password.Password')
-    def test_get_os_admin_context_deprecated(self, password_plugin):
-        conf = config_fixture.Config()
-        clients._admin_session = None
-        conf.config(auth_type=None, group=GROUP_AUTHTOKEN)
-        conf.config(admin_user='admin',
-                    admin_password='password',
-                    admin_tenant_name='service')
-
-        imp.reload(ec2_context)
-        # NOTE(ft): initialize a regular context to populate oslo_context's
-        # local storage to prevent admin context to populate it.
-        # Used to implicitly validate overwrite=False argument of the call
-        # RequestContext constructor from inside get_os_admin_context
-        if not context.get_current():
-            ec2_context.RequestContext(None, None)
-
-        ctx = ec2_context.get_os_admin_context()
-        conf = cfg.CONF
-        password_plugin.assert_called_once_with(
-            username=conf.admin_user,
-            password=conf.admin_password,
-            tenant_name=conf.admin_tenant_name,
-            project_name=conf.admin_tenant_name,
-            auth_url=conf.keystone_url)
-        self.assertIsNone(ctx.user_id)
-        self.assertIsNone(ctx.project_id)
-        self.assertIsNone(ctx.auth_token)
-        self.assertEqual([], ctx.service_catalog)
-        self.assertTrue(ctx.is_os_admin)
-        self.assertIsNotNone(ctx.session)
-        self.assertIsNotNone(ctx.session.auth)
-        self.assertNotEqual(context.get_current(), ctx)
-
-        password_plugin.reset_mock()
-        ec2_context.get_os_admin_context()
-        self.assertFalse(password_plugin.called)