diff --git a/tasks/keystone_db_setup.yml b/tasks/keystone_db_setup.yml
index f28375b2..fe5ae49b 100644
--- a/tasks/keystone_db_setup.yml
+++ b/tasks/keystone_db_setup.yml
@@ -15,9 +15,12 @@
 
 - name: Check current state of Keystone DB
   command: "{{ keystone_bin }}/keystone-manage db_sync --check"
+  become: yes
+  become_user: "{{ keystone_system_user_name }}"
   register: keystone_db_sync_check
   failed_when: "keystone_db_sync_check.rc == 1"
   changed_when: "keystone_db_sync_check.rc not in [2, 3, 4]"
+  run_once: yes
 
 - name: Set the db sync local facts
   ini_file:
@@ -63,6 +66,7 @@
   become_user: "{{ keystone_system_user_name }}"
   when:
     - "ansible_local['openstack_ansible']['keystone']['need_db_expand'] | bool"
+  run_once: yes
 
 - name: Perform a Keystone DB sync migrate
   command: "{{ keystone_bin }}/keystone-manage db_sync --migrate"
@@ -70,6 +74,7 @@
   become_user: "{{ keystone_system_user_name }}"
   when:
     - "ansible_local['openstack_ansible']['keystone']['need_db_migrate'] | bool"
+  run_once: yes
 
 - name: Perform a Keystone DB sync contract
   command: "{{ keystone_bin }}/keystone-manage db_sync --contract"
@@ -78,3 +83,4 @@
   when:
     - "(keystone_all_software_updated | default('no')) | bool"
     - "ansible_local['openstack_ansible']['keystone']['need_db_contract'] | bool"
+  run_once: yes
diff --git a/tasks/keystone_token_cleanup.yml b/tasks/keystone_token_cleanup.yml
index a4754e0d..14fa2081 100644
--- a/tasks/keystone_token_cleanup.yml
+++ b/tasks/keystone_token_cleanup.yml
@@ -19,3 +19,4 @@
     minute: 0
     job: "{{ keystone_bin }}/keystone-manage token_flush"
     user: "{{ keystone_system_user_name }}"
+  delegate_to: "{{ groups['keystone_all'][0] }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 98e4e8e6..015fa9fa 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -95,7 +95,6 @@
 - include: keystone_db_setup.yml
   when:
     - "keystone_database_enabled | bool"
-    - "inventory_hostname == ansible_play_hosts[0]"
   tags:
     - keystone-config
 
@@ -103,7 +102,7 @@
   static: no
   when:
     - "'sql' in keystone_token_driver"
-    - inventory_hostname == groups['keystone_all'][0]
+  run_once: yes
   tags:
     - keystone-install
 
@@ -127,7 +126,7 @@
 - include: keystone_service_setup.yml
   when:
     - keystone_service_setup | bool
-    - inventory_hostname == ansible_play_hosts[0]
+  run_once: yes
   tags:
     - keystone-config
 
@@ -141,7 +140,7 @@
   when:
     - keystone_service_setup | bool
     - keystone_sp != {}
-    - inventory_hostname == groups['keystone_all'][0]
+  run_once: yes
   tags:
     - keystone-config
 
@@ -161,5 +160,6 @@
   register: keystone_doctor
   failed_when: not debug and keystone_doctor.rc != 0
   changed_when: false
+  run_once: yes
   tags:
     - always