diff --git a/tasks/heat_domain_setup.yml b/tasks/heat_domain_setup.yml
index cb7c1ea..0b6cc35 100644
--- a/tasks/heat_domain_setup.yml
+++ b/tasks/heat_domain_setup.yml
@@ -58,47 +58,42 @@
     - heat-domain-setup
     - heat-config
 
-# TODO Change the keystone library to support adding
-# a user to a domain without specifying a project
 - name: Ensure heat user
-  shell: |
-    . {{ ansible_env.HOME }}/openrc
-    {{ heat_bin }}/openstack {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }}\
-              --os-identity-api-version=3 \
-              --os-auth-url={{ keystone_service_adminurl }} \
-              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-name={{ heat_project_domain_name }} \
-              --os-user-domain-name={{ heat_user_domain_name }} \
-              user \
-              create \
-              --or-show \
-              --domain {{ heat_stack_user_domain_name }} \
-              --password {{ heat_stack_domain_admin_password }} \
-              "{{ heat_stack_domain_admin }}"
+  keystone:
+    command: "ensure_user"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ heat_stack_domain_admin }}"
+    domain_name: "{{ heat_stack_user_domain_name }}"
+    password: "{{ heat_stack_domain_admin_password }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
   tags:
     - heat-domain
     - heat-domain-setup
     - heat-config
     - heat-command-bin
 
-
-# TODO Change the keystone library to support adding
-# a role to a user without specifying a project
-- name: Assign admin role to heat domain admin user
-  shell: |
-    . {{ ansible_env.HOME }}/openrc
-    {{ heat_bin }}/openstack {{ keystone_service_adminuri_insecure | bool | ternary('--insecure','') }}\
-              --os-identity-api-version=3 \
-              --os-auth-url={{ keystone_service_adminurl }} \
-              --os-project-name={{ heat_project_name }} \
-              --os-project-domain-name={{ heat_project_domain_name }} \
-              --os-user-domain-name={{ heat_user_domain_name }} \
-              role \
-              add \
-              --user {{ heat_stack_domain_admin }} \
-              --domain {{ heat_stack_user_domain_name }} \
-              --user-domain {{ heat_stack_user_domain_name }} \
-              admin
+- name: Ensure heat role
+  keystone:
+    command: "ensure_user_role"
+    endpoint: "{{ keystone_service_adminurl }}"
+    login_user: "{{ keystone_admin_user_name }}"
+    login_password: "{{ keystone_auth_admin_password }}"
+    login_project_name: "{{ keystone_admin_tenant_name }}"
+    user_name: "{{ heat_stack_domain_admin }}"
+    role_name: "admin"
+    domain_name: "{{ heat_stack_user_domain_name }}"
+    insecure: "{{ keystone_service_adminuri_insecure }}"
+  register: add_service
+  until: add_service|success
+  retries: 5
+  delay: 10
   tags:
     - heat-domain
     - heat-domain-setup