diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 30760800..777d1b3b 100755
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -186,7 +186,8 @@ function configure_ec2api {
     iniset $EC2API_CONF_FILE DEFAULT admin_password $SERVICE_PASSWORD
 
     iniset $EC2API_CONF_FILE DEFAULT ec2api_workers "$API_WORKERS"
-    iniset $EC2API_CONF_FILE DEFAULT keystone_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0"
+    iniset $EC2API_CONF_FILE DEFAULT keystone_url "$KEYSTONE_SERVICE_URI"
+    iniset $EC2API_CONF_FILE DEFAULT keystone_ec2_tokens_url "$KEYSTONE_SERVICE_URI_V3/ec2tokens"
     iniset $EC2API_CONF_FILE DEFAULT region_list "$REGION_NAME"
 
     iniset $EC2API_CONF_FILE DEFAULT ec2api_listen_port "$EC2API_SERVICE_PORT"
diff --git a/ec2api/api/__init__.py b/ec2api/api/__init__.py
index aea95f06..06fe8936 100644
--- a/ec2api/api/__init__.py
+++ b/ec2api/api/__init__.py
@@ -46,11 +46,11 @@ LOG = logging.getLogger(__name__)
 
 ec2_opts = [
     cfg.StrOpt('keystone_url',
-               default='http://localhost:5000/v2.0',
-               help='URL to get token from ec2 request.'),
+               default='http://localhost:5000/',
+               help='URL for getting admin session.'),
     cfg.StrOpt('keystone_ec2_tokens_url',
-               default='$keystone_url/ec2tokens',
-               help='URL to get token from ec2 request.'),
+               default='http://localhost:5000/v3/ec2tokens',
+               help='URL to authenticate token from ec2 request.'),
     cfg.IntOpt('ec2_timestamp_expiry',
                default=300,
                help='Time in seconds before ec2 timestamp expires'),
diff --git a/ec2api/clients.py b/ec2api/clients.py
index 15cd7ca8..6373f0d4 100644
--- a/ec2api/clients.py
+++ b/ec2api/clients.py
@@ -106,7 +106,8 @@ def cinder(context):
 
 
 def keystone(context):
-    return keystoneclient.Client(auth_url=CONF.keystone_url,
+    auth_url = context.session.get_endpoint(service_type='identity')
+    return keystoneclient.Client(auth_url=auth_url,
                                  session=context.session)
 
 
diff --git a/ec2api/tests/unit/test_clients.py b/ec2api/tests/unit/test_clients.py
index ef254363..ca7c428e 100644
--- a/ec2api/tests/unit/test_clients.py
+++ b/ec2api/tests/unit/test_clients.py
@@ -124,5 +124,5 @@ class ClientsTestCase(base.BaseTestCase):
         context = mock.NonCallableMock(session=mock.sentinel.session)
         res = clients.keystone(context)
         self.assertEqual(keystone.return_value, res)
-        keystone.assert_called_with(auth_url='http://localhost:5000/v2.0',
+        keystone.assert_called_with(auth_url='v1',
                                     session=mock.sentinel.session)
diff --git a/ec2api/tests/unit/test_middleware.py b/ec2api/tests/unit/test_middleware.py
index 3b37f396..c252aaac 100644
--- a/ec2api/tests/unit/test_middleware.py
+++ b/ec2api/tests/unit/test_middleware.py
@@ -149,7 +149,7 @@ class KeystoneAuthTestCase(test_base.BaseTestCase):
         resp = self.kauth(req)
         self._validate_ec2_error(resp, 400, 'AuthFailure')
         mock_request.assert_called_with('POST',
-                                        CONF.keystone_url + '/ec2tokens',
+                                        CONF.keystone_ec2_tokens_url,
                                         data=mock.ANY, headers=mock.ANY)
 
     @tools.screen_all_logs
@@ -161,7 +161,7 @@ class KeystoneAuthTestCase(test_base.BaseTestCase):
         resp = self.kauth(req)
         self._validate_ec2_error(resp, 400, 'AuthFailure')
         mock_request.assert_called_with('POST',
-                                        CONF.keystone_url + '/ec2tokens',
+                                        CONF.keystone_ec2_tokens_url,
                                         data=mock.ANY, headers=mock.ANY)
 
         fake_request = mock.NonCallableMock(status_code=200, headers={})
@@ -182,7 +182,7 @@ class KeystoneAuthTestCase(test_base.BaseTestCase):
         req.GET['AWSAccessKeyId'] = 'test-key-id'
         self.kauth(req)
         mock_request.assert_called_with(
-            'POST', CONF.keystone_url + '/ec2tokens',
+            'POST', CONF.keystone_ec2_tokens_url,
             data=mock.ANY, headers=mock.ANY)
 
         data = jsonutils.loads(mock_request.call_args[1]['data'])
diff --git a/install.sh b/install.sh
index d6f3ad15..31fc7813 100755
--- a/install.sh
+++ b/install.sh
@@ -268,6 +268,7 @@ iniset $CONF_FILE DEFAULT logging_context_format_string "%(asctime)s.%(msecs)03d
 iniset $CONF_FILE DEFAULT log_dir "$LOG_DIR"
 iniset $CONF_FILE DEFAULT verbose True
 iniset $CONF_FILE DEFAULT keystone_url "$OS_AUTH_URL"
+iniset $CONF_FILE DEFAULT keystone_ec2_tokens_url "$OS_AUTH_URL/v3/ec2tokens"
 iniset $CONF_FILE database connection "$CONNECTION"
 iniset $CONF_FILE DEFAULT full_vpc_support "$VPC_SUPPORT"
 iniset $CONF_FILE DEFAULT external_network "$EXTERNAL_NETWORK"