diff --git a/manifests/keystone/domain.pp b/manifests/keystone/domain.pp
index a307a20..5d9a25d 100644
--- a/manifests/keystone/domain.pp
+++ b/manifests/keystone/domain.pp
@@ -4,6 +4,9 @@
 #
 # === Parameters
 #
+# [*cluster_user_trust*]
+#   enable creation of a user trust for clusters.  Defaults to $::os_service_default.
+#
 # [*domain_name*]
 #   magnum domain name. Defaults to 'magnum'.
 #
@@ -31,6 +34,7 @@
 #   Defaults to 'true'.
 #
 class magnum::keystone::domain (
+  $cluster_user_trust = $::os_service_default,
   $domain_name        = 'magnum',
   $domain_admin       = 'magnum_admin',
   $domain_admin_email = 'magnum_admin@localhost',
@@ -69,6 +73,7 @@ class magnum::keystone::domain (
   }
 
   magnum_config {
+    'trust/cluster_user_trust':            value => $cluster_user_trust;
     'trust/trustee_domain_name':           value => $domain_name;
     'trust/trustee_domain_admin_name':     value => $domain_admin;
     'trust/trustee_domain_admin_password': value => $domain_password, secret => true;
diff --git a/releasenotes/notes/allow-enable-cluster-user-trust-49bc0abdc8504532.yaml b/releasenotes/notes/allow-enable-cluster-user-trust-49bc0abdc8504532.yaml
new file mode 100644
index 0000000..53be044
--- /dev/null
+++ b/releasenotes/notes/allow-enable-cluster-user-trust-49bc0abdc8504532.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - Added configuration option to allow configuring a user trust for clusters
+    which can be accessed at magnum::keystone::domain::cluster_user_trust
diff --git a/spec/classes/magnum_keystone_domain_spec.rb b/spec/classes/magnum_keystone_domain_spec.rb
index baa7dfb..5f12ce5 100644
--- a/spec/classes/magnum_keystone_domain_spec.rb
+++ b/spec/classes/magnum_keystone_domain_spec.rb
@@ -3,6 +3,7 @@ require 'spec_helper'
 describe 'magnum::keystone::domain' do
 
   let :params do {
+    :cluster_user_trust => true,
     :domain_name        => 'magnum',
     :domain_admin       => 'magnum_admin',
     :domain_admin_email => 'magnum_admin@localhost',
@@ -12,6 +13,7 @@ describe 'magnum::keystone::domain' do
 
   shared_examples_for 'magnum keystone domain' do
     it 'configure magnum.conf' do
+      is_expected.to contain_magnum_config('trust/cluster_user_trust').with_value(params[:cluster_user_trust])
       is_expected.to contain_magnum_config('trust/trustee_domain_admin_name').with_value(params[:domain_admin])
       is_expected.to contain_magnum_config('trust/trustee_domain_admin_password').with_value(params[:domain_password])
       is_expected.to contain_magnum_config('trust/trustee_domain_admin_password').with_secret(true)