diff --git a/tripleo_common/actions/base.py b/tripleo_common/actions/base.py
index ed1cd5a09..d0a5b2a7f 100644
--- a/tripleo_common/actions/base.py
+++ b/tripleo_common/actions/base.py
@@ -36,16 +36,26 @@ class TripleOAction(actions.Action):
         super(TripleOAction, self).__init__()
 
     def get_object_client(self, context):
-        obj_ep = keystone_utils.get_endpoint_for_project(context, 'swift')
+        swift_endpoint = keystone_utils.get_endpoint_for_project(
+            context,
+            'swift'
+        )
+
+        session_and_auth = keystone_utils.get_session_and_auth(
+            context,
+            service_name='swift'
+        )
 
         kwargs = {
-            'preauthurl': obj_ep.url % {'tenant_id': context.project_id},
-            'preauthtoken': context.auth_token,
+            'preauthurl': swift_endpoint.url % {
+                'tenant_id': context.project_id
+            },
+            'session': session_and_auth['session'],
+            'insecure': context.insecure,
             'retries': 10,
             'starting_backoff': 3,
             'max_backoff': 120
         }
-
         return swift_client.Connection(**kwargs)
 
     def get_baremetal_client(self, context):
@@ -109,17 +119,23 @@ class TripleOAction(actions.Action):
     def get_messaging_client(self, context):
         zaqar_endpoint = keystone_utils.get_endpoint_for_project(
             context, service_type='messaging')
-        keystone_endpoint = keystone_utils.get_endpoint_for_project(
-            context, 'keystone')
+
+        session_and_auth = keystone_utils.get_session_and_auth(
+            context,
+            service_type='messaging'
+        )
+
+        auth_uri = context.auth_uri or \
+            keystone_utils.CONF.keystone_authtoken.auth_uri
 
         opts = {
             'os_auth_token': context.auth_token,
-            'os_auth_url': keystone_endpoint.url,
+            'os_auth_url': auth_uri,
             'os_project_id': context.project_id,
             'insecure': context.insecure,
         }
-        auth_opts = {'backend': 'keystone', 'options': opts}
-        conf = {'auth_opts': auth_opts}
+        auth_opts = {'backend': 'keystone', 'options': opts, }
+        conf = {'auth_opts': auth_opts, 'session': session_and_auth['session']}
 
         return zaqarclient.Client(zaqar_endpoint.url, conf=conf)
 
@@ -133,32 +149,13 @@ class TripleOAction(actions.Action):
         return mc
 
     def get_compute_client(self, context):
-        keystone_endpoint = keystone_utils.get_endpoint_for_project(
-            context, 'keystone')
-        nova_endpoint = keystone_utils.get_endpoint_for_project(
-            context, 'nova')
 
-        # TODO(apetrich) Change this auth to a keystone session
-        client = nova_client(
-            2,
-            username=None,
-            api_key=None,
-            service_type='compute',
-            auth_token=context.auth_token,
-            tenant_id=context.project_id,
-            region_name=keystone_endpoint.region,
-            auth_url=keystone_endpoint.url,
-            insecure=context.insecure,
-            project_domain_name="Default",
-            user_domain_name="Default"
+        conf = keystone_utils.get_session_and_auth(
+            context,
+            service_type='compute'
         )
 
-        client.client.management_url = keystone_utils.format_url(
-            nova_endpoint.url,
-            {'tenant_id': context.project_id}
-        )
-
-        return client
+        return nova_client(2, **conf)
 
     def _cache_key(self, plan_name, key_name):
         return "__cache_{}_{}".format(plan_name, key_name)
diff --git a/tripleo_common/utils/keystone.py b/tripleo_common/utils/keystone.py
index 43b610997..784a3e079 100644
--- a/tripleo_common/utils/keystone.py
+++ b/tripleo_common/utils/keystone.py
@@ -17,6 +17,8 @@
 import six
 
 from keystoneauth1 import loading
+from keystoneauth1 import session as ks_session
+from keystoneauth1.token_endpoint import Token
 from keystoneclient import service_catalog as ks_service_catalog
 from keystoneclient.v3 import client as ks_client
 from keystoneclient.v3 import endpoints as ks_endpoints
@@ -42,6 +44,52 @@ def client(ctx):
     return cl
 
 
+def _determine_verify(ctx):
+    if ctx.insecure:
+        return False
+    elif ctx.auth_cacert:
+        return ctx.auth_cacert
+    else:
+        return True
+
+
+def get_session_and_auth(context, **kwargs):
+    """Get session and auth parameters
+
+    :param context: action context
+    :return: dict to be used as kwargs for client serviceinitialization
+    """
+
+    if not context:
+        raise AssertionError('context is mandatory')
+
+    project_endpoint = get_endpoint_for_project(context, **kwargs)
+    endpoint = format_url(
+        project_endpoint.url,
+        {
+            'tenant_id': context.project_id,
+            'project_id': context.project_id
+        }
+    )
+
+    auth = Token(endpoint=endpoint, token=context.auth_token)
+
+    auth_uri = context.auth_uri or CONF.keystone_authtoken.auth_uri
+    ks_auth = Token(
+        endpoint=auth_uri,
+        token=context.auth_token
+    )
+    session = ks_session.Session(
+        auth=ks_auth,
+        verify=_determine_verify(context)
+    )
+
+    return {
+        "session": session,
+        "auth": auth
+    }
+
+
 def _admin_client(trust_id=None):
     if CONF.keystone_authtoken.auth_type is None:
         auth_url = CONF.keystone_authtoken.auth_uri