diff --git a/keystone/api/_shared/EC2_S3_Resource.py b/keystone/api/_shared/EC2_S3_Resource.py
index ff94286b6e..7b2fc21b29 100644
--- a/keystone/api/_shared/EC2_S3_Resource.py
+++ b/keystone/api/_shared/EC2_S3_Resource.py
@@ -31,6 +31,7 @@ CRED_TYPE_EC2 = 'ec2'
 
 
 class ResourceBase(ks_flask.ResourceBase):
+    @ks_flask.unenforced_api
     def get(self):
         # SPECIAL CASE: GET is not allowed, raise METHOD_NOT_ALLOWED
         raise exceptions.MethodNotAllowed(valid_methods=['POST'])
diff --git a/keystone/tests/unit/test_contrib_ec2_core.py b/keystone/tests/unit/test_contrib_ec2_core.py
index 4b514f8985..8da5bbaa65 100644
--- a/keystone/tests/unit/test_contrib_ec2_core.py
+++ b/keystone/tests/unit/test_contrib_ec2_core.py
@@ -37,6 +37,13 @@ class EC2ContribCoreV3(test_v3.RestfulTestCase):
         PROVIDERS.credential_api.create_credential(
             self.credential['id'], self.credential)
 
+    def test_http_get_method_not_allowed(self):
+        resp = self.get('/ec2tokens',
+                        expected_status=http.client.METHOD_NOT_ALLOWED,
+                        convert=False)
+        self.assertEqual(http.client.METHOD_NOT_ALLOWED,
+                         resp.status_code)
+
     def test_valid_authentication_response_with_proper_secret(self):
         signer = ec2_utils.Ec2Signer(self.cred_blob['secret'])
         timestamp = utils.isotime(timeutils.utcnow())
diff --git a/keystone/tests/unit/test_contrib_s3_core.py b/keystone/tests/unit/test_contrib_s3_core.py
index a9c8acd7ce..b109e8cdf2 100644
--- a/keystone/tests/unit/test_contrib_s3_core.py
+++ b/keystone/tests/unit/test_contrib_s3_core.py
@@ -39,6 +39,13 @@ class S3ContribCore(test_v3.RestfulTestCase):
         PROVIDERS.credential_api.create_credential(
             self.credential['id'], self.credential)
 
+    def test_http_get_method_not_allowed(self):
+        resp = self.get('/s3tokens',
+                        expected_status=http.client.METHOD_NOT_ALLOWED,
+                        convert=False)
+        self.assertEqual(http.client.METHOD_NOT_ALLOWED,
+                         resp.status_code)
+
     def test_good_response(self):
         sts = 'string to sign'  # opaque string from swift3
         sig = hmac.new(self.cred_blob['secret'].encode('ascii'),
diff --git a/releasenotes/notes/dont-enforce-get-s3tokens-ec2tokens-62b90b199e8075d8.yaml b/releasenotes/notes/dont-enforce-get-s3tokens-ec2tokens-62b90b199e8075d8.yaml
new file mode 100644
index 0000000000..fcdd030fbf
--- /dev/null
+++ b/releasenotes/notes/dont-enforce-get-s3tokens-ec2tokens-62b90b199e8075d8.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    [`bug 2052916 <https://bugs.launchpad.net/keystone/+bug/2052916>`_]
+    Fixed a bug where a HTTP GET request against ``/v3/s3tokens`` or
+    ``/v3/ec2tokens`` would return HTTP 500 instead of HTTP 405.