diff --git a/manifests/key.pp b/manifests/key.pp
index 911df1a9..2061031c 100644
--- a/manifests/key.pp
+++ b/manifests/key.pp
@@ -47,6 +47,10 @@
 #   Optional. e.g. 'allow *'
 #   Defaults to 'undef'.
 #
+# [*cap_mgr*] cephx capabilities for MGR access.
+#   Optional. e.g. 'allow *'
+#   Defaults to 'undef'.
+#
 # [*user*] Owner of the *keyring_path* file.
 #   Optional. Defaults to 'root'.
 #
@@ -77,6 +81,7 @@ define ceph::key (
   $cap_mon = undef,
   $cap_osd = undef,
   $cap_mds = undef,
+  $cap_mgr = undef,
   $user = 'root',
   $group = 'root',
   $mode = '0600',
@@ -107,8 +112,13 @@ define ceph::key (
   } else {
     $mds_caps = ''
   }
+  if $cap_mgr {
+    $mgr_caps = "--cap mgr '${cap_mgr}' "
+  } else {
+    $mgr_caps = ''
+  }
 
-  $caps = "${mon_caps}${osd_caps}${mds_caps}"
+  $caps = "${mon_caps}${osd_caps}${mds_caps}${mgr_caps}"
 
   # this allows multiple defines for the same 'keyring file',
   # which is supported by ceph-authtool
diff --git a/releasenotes/notes/add_mgr_caps-56dadf9202ce30b3.yaml b/releasenotes/notes/add_mgr_caps-56dadf9202ce30b3.yaml
new file mode 100644
index 00000000..0e5a80ac
--- /dev/null
+++ b/releasenotes/notes/add_mgr_caps-56dadf9202ce30b3.yaml
@@ -0,0 +1,3 @@
+---
+fixes:
+  - Bug 1720864 Allow setting optional manager capabilities on keys.
diff --git a/spec/defines/ceph_key_spec.rb b/spec/defines/ceph_key_spec.rb
index 71aa5da4..27c46d49 100644
--- a/spec/defines/ceph_key_spec.rb
+++ b/spec/defines/ceph_key_spec.rb
@@ -38,13 +38,14 @@ describe 'ceph::key' do
           :group   => 'nogroup',
           :cap_mon => 'allow *',
           :cap_osd => 'allow rw',
+          :cap_mgr => 'allow *',
           :inject  => true,
         }
       end
 
       it {
         is_expected.to contain_exec('ceph-key-client.admin').with(
-          'command' => "/bin/true # comment to satisfy puppet syntax requirements\nset -ex\nceph-authtool /etc/ceph/ceph.client.admin.keyring --name 'client.admin' --add-key 'supersecret' --cap mon 'allow *' --cap osd 'allow rw' "
+          'command' => "/bin/true # comment to satisfy puppet syntax requirements\nset -ex\nceph-authtool /etc/ceph/ceph.client.admin.keyring --name 'client.admin' --add-key 'supersecret' --cap mon 'allow *' --cap osd 'allow rw' --cap mgr 'allow *' "
         )
         is_expected.to contain_file('/etc/ceph/ceph.client.admin.keyring').with(
           'owner'                   => 'nobody',