Have you tried the workaround documented in bug 1325475? > Cause: In the course of upgrading the undercloud from OSPd 7 to OSPd 8, the _member_ role is removed from the admin user because Keystone no longer uses that idiom. Trusts stored in the Heat database rely on the trustor user retaining all of their delegated roles, which includes the _member_ role. > > Consequence: Heat stack updates after the undercloud upgrade fail with authentication errors. > > Fix: Run the command: > > openstack role add _member_ --user admin --project admin > > to re-add the _member_ role to the admin user. > > Result: The trusts work as expected to authenticate.