diff --git a/manifests/orchestration/engine.pp b/manifests/orchestration/engine.pp
index 88713c72..23b2f3ed 100644
--- a/manifests/orchestration/engine.pp
+++ b/manifests/orchestration/engine.pp
@@ -23,7 +23,8 @@ class cloud::orchestration::engine(
   $ks_heat_password               = 'heatpassword',
   $ks_heat_cfn_public_port        = 8000,
   $ks_heat_cloudwatch_public_port = 8003,
-  $auth_encryption_key            = 'secrete'
+  $auth_encryption_key            = 'secrete',
+  $ks_admin_tenant                = 'admin',
 ) {
 
   include 'cloud::orchestration'
@@ -36,4 +37,10 @@ class cloud::orchestration::engine(
     heat_watch_server_url         => "${ks_heat_public_proto}://${ks_heat_public_host}:${ks_heat_cloudwatch_public_port}"
   }
 
+  # to avoid bug https://bugs.launchpad.net/heat/+bug/1306665
+  keystone_user_role { "admin@${ks_admin_tenant}":
+    ensure => present,
+    roles  => 'heat_stack_owner',
+  }
+
 }
diff --git a/spec/classes/cloud_orchestration_engine_spec.rb b/spec/classes/cloud_orchestration_engine_spec.rb
index a1950675..bf7b0d00 100644
--- a/spec/classes/cloud_orchestration_engine_spec.rb
+++ b/spec/classes/cloud_orchestration_engine_spec.rb
@@ -57,33 +57,37 @@ describe 'cloud::orchestration::engine' do
 
     it 'configure heat common' do
       is_expected.to contain_class('heat').with(
-          :verbose                 => true,
-          :debug                   => true,
-          :log_facility            => 'LOG_LOCAL0',
-          :use_syslog              => true,
-          :rabbit_userid           => 'heat',
-          :rabbit_hosts            => ['10.0.0.1'],
-          :rabbit_password         => 'secrete',
-          :keystone_host           => '10.0.0.1',
-          :keystone_port           => '5000',
-          :keystone_protocol       => 'http',
-          :keystone_password       => 'secrete',
-          :auth_uri                => 'http://10.0.0.1:5000/v2.0',
-          :keystone_ec2_uri        => 'http://10.0.0.1:5000/v2.0/ec2tokens',
-          :sql_connection          => 'mysql://heat:secrete@10.0.0.1/heat?charset=utf8',
-          :log_dir                 => false
-        )
+        :verbose                 => true,
+        :debug                   => true,
+        :log_facility            => 'LOG_LOCAL0',
+        :use_syslog              => true,
+        :rabbit_userid           => 'heat',
+        :rabbit_hosts            => ['10.0.0.1'],
+        :rabbit_password         => 'secrete',
+        :keystone_host           => '10.0.0.1',
+        :keystone_port           => '5000',
+        :keystone_protocol       => 'http',
+        :keystone_password       => 'secrete',
+        :auth_uri                => 'http://10.0.0.1:5000/v2.0',
+        :keystone_ec2_uri        => 'http://10.0.0.1:5000/v2.0/ec2tokens',
+        :sql_connection          => 'mysql://heat:secrete@10.0.0.1/heat?charset=utf8',
+        :log_dir                 => false
+      )
       is_expected.to contain_heat_config('clients/endpoint_type').with('value' => 'internalURL')
     end
 
     it 'configure heat engine' do
       is_expected.to contain_class('heat::engine').with(
-          :enabled                       => true,
-          :auth_encryption_key           => 'secrete',
-          :heat_metadata_server_url      => 'http://10.0.0.1:8000',
-          :heat_waitcondition_server_url => 'http://10.0.0.1:8000/v1/waitcondition',
-          :heat_watch_server_url         => 'http://10.0.0.1:8003'
-        )
+        :enabled                       => true,
+        :auth_encryption_key           => 'secrete',
+        :heat_metadata_server_url      => 'http://10.0.0.1:8000',
+        :heat_waitcondition_server_url => 'http://10.0.0.1:8000/v1/waitcondition',
+        :heat_watch_server_url         => 'http://10.0.0.1:8003'
+      )
+      is_expected.to contain_keystone_user_role('admin@admin').with(
+        :ensure => 'present',
+        :roles  => 'heat_stack_owner',
+      )
     end
 
   end