diff --git a/tests/run.yml b/tests/run.yml
index 3300329a11..39aed9a44c 100644
--- a/tests/run.yml
+++ b/tests/run.yml
@@ -89,12 +89,6 @@
       when: scenario == "bifrost"
       delegate_to: "primary"
 
-    - name: copy passwords.yml file
-      copy:
-        src: "{{ kolla_ansible_full_src_dir }}/etc/kolla/passwords.yml"
-        dest: /etc/kolla/passwords.yml
-      delegate_to: "primary"
-
     - name: ensure /etc/docker exists
       file:
         path: "/etc/docker"
@@ -110,15 +104,39 @@
         dest: "/etc/docker/daemon.json"
       become: true
 
-
     - name: install kolla-ansible requirements
       pip:
         requirements: "{{ ansible_env.HOME }}/{{ kolla_ansible_src_dir }}/requirements.txt"
       become: true
 
+    - name: copy passwords.yml file
+      copy:
+        src: "{{ kolla_ansible_full_src_dir }}/etc/kolla/passwords.yml"
+        dest: /etc/kolla/passwords.yml
+
     - name: generate passwords
       shell: "{{ kolla_ansible_src_dir }}/tools/generate_passwords.py"
-      delegate_to: "primary"
+
+    - name: slurp kolla passwords
+      slurp:
+        src: /etc/kolla/passwords.yml
+      register: passwords_yml
+
+    - name: write out kolla SSH private key
+      copy:
+        content: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.private_key }}"
+        dest: ~/.ssh/id_rsa_kolla
+        mode: 0600
+
+    - name: authorise kolla public key for zuul user
+      authorized_key:
+        user: "{{ ansible_env.USER }}"
+        key: "{{ (passwords_yml.content | b64decode | from_yaml).kolla_ssh_key.public_key }}"
+      # Delegate to each host in turn. If more tasks require execution on all
+      # hosts in future, break out into a separate play.
+      with_inventory_hostnames:
+        - all
+      delegate_to: "{{ item }}"
 
     - name: generate ceph config overrides
       template:
diff --git a/tests/templates/inventory.j2 b/tests/templates/inventory.j2
index b92f3570c3..d3e00d0c0d 100644
--- a/tests/templates/inventory.j2
+++ b/tests/templates/inventory.j2
@@ -2,32 +2,32 @@
 # additional groups are for more control of the environment.
 [control]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [network]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [compute]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [storage]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [monitoring]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 [deployment]
 {% for host in hostvars %}
-{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_become=true ansible_user={{ hostvars[host]['ansible_user'] }}
+{{ host }} ansible_host={{ hostvars[host]['ansible_host'] }} ansible_user=kolla ansible_ssh_private_key_file={{ ansible_env.HOME ~ '/.ssh/id_rsa_kolla' }}
 {% endfor %}
 
 # You can explicitly specify which hosts run each project by updating the
diff --git a/tools/setup_gate.sh b/tools/setup_gate.sh
index fc7a60af6e..a6cb4e391f 100755
--- a/tools/setup_gate.sh
+++ b/tools/setup_gate.sh
@@ -105,11 +105,11 @@ host_key_checking = False
 EOF
 
     # Record the running state of the environment as seen by the setup module
-    ansible all -i ${RAW_INVENTORY} -m setup > /tmp/logs/ansible/initial-setup
+    ansible all -i ${RAW_INVENTORY} -e ansible_user=$USER -m setup > /tmp/logs/ansible/initial-setup
 }
 
 function setup_node {
-    ansible-playbook -i ${RAW_INVENTORY} tools/playbook-setup-nodes.yml
+    ansible-playbook -i ${RAW_INVENTORY} -e ansible_user=$USER tools/playbook-setup-nodes.yml
 }
 
 function prepare_images {
@@ -152,7 +152,7 @@ function sanity_check {
 
 function test_openstack {
     # Create dummy interface for neutron
-    ansible -m shell -i ${RAW_INVENTORY} -a "ip l a fake_interface type dummy" all
+    ansible -m shell -i ${RAW_INVENTORY} -b -a "ip l a fake_interface type dummy" all
 
     #TODO(inc0): Post-deploy complains that /etc/kolla is not writable. Probably we need to include become there
     sudo chmod -R 777 /etc/kolla
@@ -240,7 +240,7 @@ setup_ansible
 setup_config
 setup_node
 
-tools/kolla-ansible -i ${RAW_INVENTORY} bootstrap-servers > /tmp/logs/ansible/bootstrap-servers
+tools/kolla-ansible -i ${RAW_INVENTORY} -e ansible_user=$USER bootstrap-servers > /tmp/logs/ansible/bootstrap-servers
 prepare_images
 
 if [[ $ACTION != bifrost ]]; then