diff --git a/manifests/apinode.pp b/manifests/apinode.pp
index 58d56ee..7b8d78b 100644
--- a/manifests/apinode.pp
+++ b/manifests/apinode.pp
@@ -1,4 +1,6 @@
 class kickstack::apinode inherits kickstack {
   include kickstack::api::keystone
   include kickstack::endpoints::keystone
+
+  kickstack::endpoints::service { [ "glance"]: }
 }
diff --git a/manifests/endpoints/service.pp b/manifests/endpoints/service.pp
new file mode 100644
index 0000000..d9f8c55
--- /dev/null
+++ b/manifests/endpoints/service.pp
@@ -0,0 +1,29 @@
+define kickstack::endpoints::service {
+
+  include pwgen
+
+  $servicename = $name
+  $factname = "${servicename}_keystone_password"
+  $classname = "${servicename}::keystone::auth"
+
+  # Grab the service's keystone user password from a kickstack fact and configure
+  # Keystone accordingly. If no fact has been set, generate a password.
+  $service_password = pick(getvar("${::kickstack::fact_prefix}${factname}"),pwgen())
+
+  # Installs the service user endpoint.
+  class { "${classname}":
+    password         => "$service_password",
+    public_address   => "${hostname}${keystone_public_suffix}",
+    admin_address    => "${hostname}${keystone_admin_suffix}",
+    internal_address => "$hostname",
+    region           => "$::kickstack::keystone_region",
+    require          => Class['::keystone'],
+  }
+
+  kickstack::exportfact::export { "${factname}":
+    value => "${service_password}",
+    tag => "${servicename}",
+    require => Class["${classname}"]
+  }
+
+}