diff --git a/manifests/profile/base/cinder/volume.pp b/manifests/profile/base/cinder/volume.pp
index 7d562ec20..1fff1d3c5 100644
--- a/manifests/profile/base/cinder/volume.pp
+++ b/manifests/profile/base/cinder/volume.pp
@@ -46,6 +46,10 @@
 #   (Optional) List of additional backend stanzas to activate
 #   Defaults to hiera('cinder_user_enabled_backends')
 #
+# [*cinder_rbd_client_name*]
+#   (Optional) Name of RBD client
+#   Defaults to hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name')
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -59,6 +63,7 @@ class tripleo::profile::base::cinder::volume (
   $cinder_enable_nfs_backend    = false,
   $cinder_enable_rbd_backend    = false,
   $cinder_user_enabled_backends = hiera('cinder_user_enabled_backends', undef),
+  $cinder_rbd_client_name       = hiera('tripleo::profile::base::cinder::volume::rbd::cinder_rbd_user_name','openstack'),
   $step                         = hiera('step'),
 ) {
   include ::tripleo::profile::base::cinder
@@ -104,6 +109,13 @@ class tripleo::profile::base::cinder::volume (
     if $cinder_enable_rbd_backend {
       include ::tripleo::profile::base::cinder::volume::rbd
       $cinder_rbd_backend_name = hiera('cinder::backend::rbd::volume_backend_name', 'tripleo_ceph')
+
+      exec{ "exec-setfacl-${cinder_rbd_client_name}-cinder":
+        path    => ['/bin', '/usr/bin'],
+        command => "setfacl -m u:cinder:r-- /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring",
+        unless  => "getfacl /etc/ceph/ceph.client.${cinder_rbd_client_name}.keyring | grep -q user:cinder:r--",
+      }
+      Ceph::Key<| title == "client.${cinder_rbd_client_name}" |> -> Exec["exec-setfacl-${cinder_rbd_client_name}-cinder"]
     } else {
       $cinder_rbd_backend_name = undef
     }
diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp
index 019da65b9..17ba324da 100644
--- a/manifests/profile/base/glance/api.pp
+++ b/manifests/profile/base/glance/api.pp
@@ -38,6 +38,10 @@
 # [*rabbit_port*]
 #   IP port for rabbitmq service
 #   Defaults to hiera('glance::notify::rabbitmq::rabbit_port', 5672)
+#
+# [*glance_rbd_client_name*]
+# Name used by the glance ceph key
+# defaults to 'openstack'
 
 class tripleo::profile::base::glance::api (
   $glance_backend = downcase(hiera('glance_backend', 'swift')),
@@ -45,6 +49,7 @@ class tripleo::profile::base::glance::api (
   $step           = hiera('step'),
   $rabbit_hosts   = hiera('rabbitmq_node_ips', undef),
   $rabbit_port    = hiera('glance::notify::rabbitmq::rabbit_port', 5672),
+  $glance_rbd_client_name = hiera('glance::backend::rbd::rbd_store_user','openstack'),
 ) {
 
   if $step >= 1 and $glance_nfs_enabled {
@@ -55,7 +60,15 @@ class tripleo::profile::base::glance::api (
     case $glance_backend {
         'swift': { $backend_store = 'glance.store.swift.Store' }
         'file': { $backend_store = 'glance.store.filesystem.Store' }
-        'rbd': { $backend_store = 'glance.store.rbd.Store' }
+        'rbd': {
+          $backend_store = 'glance.store.rbd.Store'
+          exec{ "exec-setfacl-${glance_rbd_client_name}-glance":
+            path    => ['/bin', '/usr/bin'],
+            command => "setfacl -m u:glance:r-- /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring",
+            unless  => "getfacl /etc/ceph/ceph.client.${glance_rbd_client_name}.keyring | grep -q user:glance:r--",
+          }
+          Ceph::Key<| title == "client.${glance_rbd_client_name}" |> -> Exec["exec-setfacl-${glance_rbd_client_name}-glance"]
+        }
         default: { fail('Unrecognized glance_backend parameter.') }
     }
     $http_store = ['glance.store.http.Store']
diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp
index 51b441799..335a4319b 100644
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@@ -26,6 +26,10 @@
 #   (Optional) Gnocchi backend string file, swift or rbd
 #   Defaults to swift
 #
+# [*gnocchi_rbd_client_name*]
+#   Name used by the gnocchi cephx key
+#   Defaults to 'openstack'
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@@ -34,6 +38,7 @@
 class tripleo::profile::base::gnocchi::api (
   $bootstrap_node  = hiera('bootstrap_nodeid', undef),
   $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')),
+  $gnocchi_rbd_client_name       = hiera('gnocchi::storage::ceph::ceph_username','openstack'),
   $step            = hiera('step'),
 ) {
   if $::hostname == downcase($bootstrap_node) {
@@ -59,7 +64,15 @@ class tripleo::profile::base::gnocchi::api (
     case $gnocchi_backend {
       'swift': { include ::gnocchi::storage::swift }
       'file': { include ::gnocchi::storage::file }
-      'rbd': { include ::gnocchi::storage::ceph }
+      'rbd': {
+        include ::gnocchi::storage::ceph
+        exec{ "exec-setfacl-${gnocchi_rbd_client_name}-gnocchi":
+          path    => ['/bin', '/usr/bin'],
+          command => "setfacl -m u:gnocchi:r-- /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring",
+          unless  => "getfacl /etc/ceph/ceph.client.${gnocchi_rbd_client_name}.keyring | grep -q user:gnocchi:r--",
+        }
+        Ceph::Key<| title == "client.${gnocchi_rbd_client_name}" |> -> Exec["exec-setfacl-${gnocchi_rbd_client_name}-gnocchi"]
+      }
       default: { fail('Unrecognized gnocchi_backend parameter.') }
     }
   }
diff --git a/manifests/profile/base/manila/share.pp b/manifests/profile/base/manila/share.pp
index d39c55c34..7c84d124e 100644
--- a/manifests/profile/base/manila/share.pp
+++ b/manifests/profile/base/manila/share.pp
@@ -30,5 +30,20 @@ class tripleo::profile::base::manila::share (
 
   if $step >= 4 {
     include ::manila::share
+
+      $cephfs_auth_id = hiera('manila::backend::cephfsnative::cephfs_auth_id')
+      $keyring_path = "/etc/ceph/ceph.client.${cephfs_auth_id}.keyring"
+      ceph_config {
+        "client.${cephfs_auth_id}/keyring": value => $keyring_path;
+        "client.${cephfs_auth_id}/client mount uid": value => 0;
+        "client.${cephfs_auth_id}/client mount gid": value => 0;
+      }
+
+      exec{ "exec-setfacl-${cephfs_auth_id}-manila":
+        path    => ['/bin', '/usr/bin' ],
+        command => "setfacl -m u:manila:r-- ${keyring_path}",
+        unless  => "getfacl ${keyring_path} | grep -q user:manila:r--",
+      }
+      Ceph::Key<| title == "client.${cephfs_auth_id}" |> -> Exec["exec-setfacl-${cephfs_auth_id}-manila"]
   }
 }
diff --git a/metadata.json b/metadata.json
index 8c8edd560..2f9a291de 100644
--- a/metadata.json
+++ b/metadata.json
@@ -25,6 +25,7 @@
   "dependencies": [
     { "name": "puppetlabs/stdlib", "version_requirement": ">= 3.2.0 < 5.0.0" },
     { "name": "sensu/sensu" },
-    { "name": "yelp/uchiwa" }
+    { "name": "yelp/uchiwa" },
+    { "name": "openstack/ceph"}
   ]
 }