diff --git a/scripts/assert-user b/scripts/assert-user
index be519b61..237ab24c 100755
--- a/scripts/assert-user
+++ b/scripts/assert-user
@@ -68,8 +68,8 @@ if [ -z "$EMAIL" -o -z "$NAME" -o -z "$TENANT" -o -z "$USERCODE" -o -n "$EXTRA_A
 fi
 
 echo "Checking for user $USERCODE"
-#TODO: fix after bug 1392035 in keystone client
-USER_ID=$(keystone user-list | awk '{print tolower($0)}' |grep " ${USERCODE,,} " |awk '{print$2}')
+#TODO: fix after bug 1392035 in the keystone client library
+USER_ID=$(openstack user list | awk '{print tolower($0)}' |grep " ${USERCODE,,} " |awk '{print$2}')
 if [ -z "$USER_ID" ]; then
     PASSWORD=''
     if [ -e os-asserted-users ]; then
@@ -79,24 +79,23 @@ if [ -z "$USER_ID" ]; then
         PASSWORD=$(os-make-password)
         echo "$USERCODE $PASSWORD" >> os-asserted-users
     fi
-    USER_ID=$(keystone user-create --name=$USERCODE \
-        --pass="$PASSWORD" \
-        --email="$EMAIL" | awk '$2=="id" {print $4}')
+    USER_ID=$(openstack user create --pass "$PASSWORD"
+        --email "$EMAIL" $USERCODE | awk '$2=="id" {print $4}')
 fi
-#TODO: fix after bug 1392035 in keystone client
-TENANT_ID=$(keystone tenant-list | awk '{print tolower($0)}' |grep " ${TENANT,,} " |awk '{print$2}')
+#TODO: fix after bug 1392035 in the keystone client library
+TENANT_ID=$(openstack project list | awk '{print tolower($0)}' |grep " ${TENANT,,} " |awk '{print$2}')
 if [ -z "$TENANT_ID" ]; then
-    TENANT_ID=$(keystone tenant-create --name=$TENANT | awk '$2=="id" {print $4}')
+    TENANT_ID=$(openstack project create $TENANT | awk '$2=="id" {print $4}')
 fi
 if [ "$TENANT" = "admin" ]; then
     ROLE="admin"
 else
     ROLE="_member_"
 fi
-ROLE_ID=$(keystone role-get $ROLE | awk '$2=="id" {print $4}')
-if keystone user-role-list --user-id $USER_ID --tenant-id $TENANT_ID | grep "${ROLE_ID}.*${ROLE}.*${USER_ID}" ; then
+ROLE_ID=$(openstack role show $ROLE | awk '$2=="id" {print $4}')
+if openstack user role list --project $TENANT_ID $USER_ID | grep "${ROLE_ID}.*${ROLE}.*${USER_ID}" ; then
     echo "User already has role '$ROLE'"
 else
-    keystone user-role-add --user-id $USER_ID --role-id $ROLE_ID --tenant-id $TENANT_ID
+    openstack role add --project $TENANT_ID --user $USER_ID $ROLE_ID
 fi
 echo "User $USERCODE configured."
diff --git a/scripts/devtest_overcloud.sh b/scripts/devtest_overcloud.sh
index ef8adcc2..437cb080 100755
--- a/scripts/devtest_overcloud.sh
+++ b/scripts/devtest_overcloud.sh
@@ -589,8 +589,8 @@ if [ "stack-create" = "$HEAT_OP" ]; then #nodocs
         -e admin@example.com -p $OVERCLOUD_ADMIN_PASSWORD \
         ${SSLBASE:+-s $PUBLIC_API_URL} --no-pki-setup
     # Creating these roles to be used by tenants using swift
-    keystone role-create --name=swiftoperator
-    keystone role-create --name=ResellerAdmin
+    openstack role create swiftoperator
+    openstack role create ResellerAdmin
     setup-endpoints $OVERCLOUD_IP \
         --cinder-password $OVERCLOUD_CINDER_PASSWORD \
         --glance-password $OVERCLOUD_GLANCE_PASSWORD \
@@ -600,7 +600,7 @@ if [ "stack-create" = "$HEAT_OP" ]; then #nodocs
         --swift-password $OVERCLOUD_SWIFT_PASSWORD \
         --ceilometer-password $OVERCLOUD_CEILOMETER_PASSWORD \
         ${SSLBASE:+--ssl $PUBLIC_API_URL}
-    keystone role-create --name heat_stack_user
+    openstack role create heat_stack_user
     user-config
     BM_NETWORK_GATEWAY=$(OS_CONFIG_FILES=$TE_DATAFILE os-apply-config --key baremetal-network.gateway-ip --type raw --key-default '192.0.2.1')
     OVERCLOUD_NAMESERVER=$(os-apply-config -m $TE_DATAFILE --key overcloud.nameserver --type netaddress --key-default "$OVERCLOUD_FIXED_RANGE_NAMESERVER")
diff --git a/scripts/devtest_seed.sh b/scripts/devtest_seed.sh
index 25220c12..1455698e 100755
--- a/scripts/devtest_seed.sh
+++ b/scripts/devtest_seed.sh
@@ -305,10 +305,10 @@ ssh-keyscan -t rsa $BM_NETWORK_SEED_IP | tee -a ~/.ssh/known_hosts | grep -q "^$
 
 init-keystone -o $BM_NETWORK_SEED_IP -t unset -e admin@example.com -p unset --no-pki-setup
 setup-endpoints $BM_NETWORK_SEED_IP --glance-password unset --heat-password unset --neutron-password unset --nova-password unset $IRONIC_OPT
-keystone role-create --name heat_stack_user
+openstack role create heat_stack_user
 # Creating these roles to be used by tenants using swift
-keystone role-create --name=swiftoperator
-keystone role-create --name=ResellerAdmin
+openstack role create swiftoperator
+openstack role create ResellerAdmin
 
 echo "Waiting for nova to initialise..."
 wait_for -w 500 --delay 10 -- nova list
@@ -383,7 +383,7 @@ fi
 ##    allow unlimited cores, instances and ram.
 ##    ::
 
-nova quota-update --cores -1 --instances -1 --ram -1 $(keystone tenant-get admin | awk '$2=="id" {print $4}')
+nova quota-update --cores -1 --instances -1 --ram -1 $(openstack project show admin | awk '$2=="id" {print $4}')
 
 
 ## #. Register "bare metal" nodes with nova and setup Nova baremetal flavors.
diff --git a/scripts/devtest_undercloud.sh b/scripts/devtest_undercloud.sh
index 326d93cc..b85ae452 100755
--- a/scripts/devtest_undercloud.sh
+++ b/scripts/devtest_undercloud.sh
@@ -381,8 +381,8 @@ init-keystone -o $UNDERCLOUD_CTL_IP -t $UNDERCLOUD_ADMIN_TOKEN \
     --public $UNDERCLOUD_IP --no-pki-setup
 
 # Creating these roles to be used by tenants using swift
-keystone role-create --name=swiftoperator
-keystone role-create --name=ResellerAdmin
+openstack role create swiftoperator
+openstack role create ResellerAdmin
 
 
 # Create service endpoints and optionally include Ceilometer for UI support
@@ -398,7 +398,7 @@ fi
 
 setup-endpoints $UNDERCLOUD_CTL_IP $ENDPOINT_LIST $REGISTER_SERVICE_OPTS \
     --public $UNDERCLOUD_IP
-keystone role-create --name heat_stack_user
+openstack role create heat_stack_user
 
 user-config
 
@@ -460,7 +460,7 @@ fi
 ##    allow unlimited cores, instances and ram.
 ##    ::
 
-nova quota-update --cores -1 --instances -1 --ram -1 $(keystone tenant-get admin | awk '$2=="id" {print $4}')
+nova quota-update --cores -1 --instances -1 --ram -1 $(openstack project show admin | awk '$2=="id" {print $4}')
 
 ## #. Register two baremetal nodes with your undercloud.
 ##    ::
diff --git a/scripts/os-adduser b/scripts/os-adduser
index 8b4727af..5be55f4e 100755
--- a/scripts/os-adduser
+++ b/scripts/os-adduser
@@ -68,43 +68,43 @@ fi
 
 PASSWORD=${PASSWORD:-$(os-make-password)}
 
-ADMIN_ROLE=$(keystone role-get admin| awk '$2=="id" {print $4}')
+ADMIN_ROLE=$(openstack role show admin| awk '$2=="id" {print $4}')
 if [ -z "$ADMIN_ROLE" ]; then
     echo "Could not find admin role" >&2
     exit 1
 fi
-MEMBER_ROLE=$(keystone role-get _member_| awk '$2=="id" {print $4}')
+MEMBER_ROLE=$(openstack role show _member_| awk '$2=="id" {print $4}')
 # Role _member_ is implicitly created by Keystone only while creating a new user
 # If no users were created, need to create a role explicitly
 if [ -z "$MEMBER_ROLE" ]; then
-    MEMBER_ROLE=$(keystone role-create --name=_member_ | awk '$2=="id" {print $4}')
+    MEMBER_ROLE=$(openstack role create _member_ | awk '$2=="id" {print $4}')
     echo "Created role _member_ with id ${MEMBER_ROLE}" >&2
 fi
-ADMIN_USER_ID=$(keystone user-get admin | awk '$2=="id" {print $4}')
+ADMIN_USER_ID=$(openstack user show admin | awk '$2=="id" {print $4}')
 if [ -z "$ADMIN_USER_ID" ]; then
     echo "Could not find admin user" >&2
     exit 1
 fi
 
-if ! keystone tenant-get $NAME 1>/dev/null 2>&1 ; then
-    USER_TENANT_ID=$(keystone tenant-create --name=$NAME | awk '$2=="id" {print $4}')
+if ! openstack project show $NAME 1>/dev/null 2>&1 ; then
+    USER_TENANT_ID=$(openstack project create $NAME | awk '$2=="id" {print $4}')
     if [ -z "$USER_TENANT_ID" ]; then
         echo "Failed to create tenant $NAME" >&2
         exit 1
     fi
 else
-    USER_TENANT_ID=$(keystone tenant-get $NAME 2>/dev/null| awk '$2=="id" {print $4}')
+    USER_TENANT_ID=$(openstack project show $NAME 2>/dev/null| awk '$2=="id" {print $4}')
     if [ -z "$USER_TENANT_ID" ]; then
         echo "Failed to retrieve existing tenant $NAME" >&2
         exit 1
     fi
 fi
 
-USER_ID=$(keystone user-get $NAME | awk '$2=="id" {print $4}')
+USER_ID=$(openstack user show $NAME | awk '$2=="id" {print $4}')
 if [ -z "$USER_ID" ]; then
-    USER_ID=$(keystone user-create --name=$NAME \
-            --pass="$PASSWORD" \
-            --email=$EMAIL | awk '$2=="id" {print $4}')
+    USER_ID=$(openstack user create \
+            --password "$PASSWORD" \
+            --email $EMAIL $NAME | awk '$2=="id" {print $4}')
     if [ -z "$USER_ID" ]; then
         echo "Failed to create user $NAME" >&2
         exit 1
@@ -115,14 +115,14 @@ else
     echo "User $NAME with id $USER_ID already exists"
 fi
 
-if keystone user-role-list --user-id $USER_ID --tenant-id $USER_TENANT_ID | grep -q "\s$MEMBER_ROLE\s"; then
+if openstack role list --user $USER_ID --project $USER_TENANT_ID | grep -q "\s$MEMBER_ROLE\s"; then
     echo "Role $MEMBER_ROLE is already granted for user $USER_ID with tenant $USER_TENANT_ID"
 else
-    keystone user-role-add --user-id $USER_ID --role-id $MEMBER_ROLE --tenant-id $USER_TENANT_ID
+    openstack role add --user $USER_ID --project $USER_TENANT_ID $MEMBER_ROLE
 fi
 
-if keystone user-role-list --user-id $ADMIN_USER_ID --tenant-id $USER_TENANT_ID | grep -q "\s$ADMIN_ROLE\s"; then
+if openstack role list --user $ADMIN_USER_ID --project $USER_TENANT_ID | grep -q "\s$ADMIN_ROLE\s"; then
     echo "Role $ADMIN_ROLE is already granted for user $ADMIN_USER_ID with tenant $USER_TENANT_ID"
 else
-    keystone user-role-add --user-id $ADMIN_USER_ID --role-id $ADMIN_ROLE --tenant-id $USER_TENANT_ID
+    openstack role add --user $ADMIN_USER_ID --project $USER_TENANT_ID $ADMIN_ROLE
 fi
diff --git a/scripts/register-endpoint b/scripts/register-endpoint
index f60ef7b0..190e2efe 100755
--- a/scripts/register-endpoint
+++ b/scripts/register-endpoint
@@ -138,7 +138,7 @@ if [ -z "$ADMIN_URL" ]; then
     ADMIN_URL="$INTERNAL_URL"
 fi
 
-ADMIN_ROLE=$(keystone $DEBUG role-list | awk '/ admin / {print $2}')
+ADMIN_ROLE=$(openstack $DEBUG role list | awk '/ admin / {print $2}')
 if [ -z "$ADMIN_ROLE" ]; then
     echo "Could not find admin role" >&2
     exit 1
@@ -146,43 +146,43 @@ fi
 
 # Some services don't need a user
 if [ "dashboard" != "$TYPE" ]; then
-    SERVICE_TENANT=$(keystone $DEBUG tenant-list | awk '/ service / {print $2}')
+    SERVICE_TENANT=$(openstack $DEBUG project list | awk '/ service / {print $2}')
     PASSWORD=${PASSWORD:-$(os-make-password)}
 
     # Some services have multiple endpoints, the user doesn't need to be recreated
-    USER_ID=$(keystone user-get $NAME | awk '$2=="id" { print $4 }')
+    USER_ID=$(openstack $DEBUG user show $NAME | awk '$2=="id" { print $4 }')
     if [ -z "$USER_ID" ]; then
-        USER_ID=$(keystone $DEBUG user-create --name=$NAME --pass=$PASSWORD --tenant-id $SERVICE_TENANT --email=nobody@example.com | awk ' / id / {print $4}')
+        USER_ID=$(openstack $DEBUG user create --password $PASSWORD --project $SERVICE_TENANT --email=nobody@example.com $NAME | awk ' / id / {print $4}')
     fi
-    if ! keystone user-role-list --tenant-id $SERVICE_TENANT --user-id $USER_ID | grep -q " $ADMIN_ROLE "; then
+    if ! openstack role list --project $SERVICE_TENANT --user $USER_ID | grep -q " $ADMIN_ROLE "; then
         echo "Creating user-role assignment for user $NAME, role admin, tenant service"
-        keystone user-role-add $DEBUG \
-            --tenant-id $SERVICE_TENANT \
-            --user-id $USER_ID \
-            --role-id $ADMIN_ROLE
+        openstack role add $DEBUG \
+            --project  $SERVICE_TENANT \
+            --user $USER_ID \
+            $ADMIN_ROLE
     fi
     #Add the admin tenant role for ceilometer user to enable polling services
     if  [ "metering" == "$TYPE" ]; then
-        ADMIN_TENANT=$(keystone $DEBUG tenant-list | awk '/ admin / {print $2}')
-        if ! keystone user-role-list --tenant-id $ADMIN_TENANT --user-id $USER_ID | grep -q " $ADMIN_ROLE "; then
+        ADMIN_TENANT=$(openstack $DEBUG project list | awk '/ admin / {print $2}')
+        if ! openstack role list --project $ADMIN_TENANT --user $USER_ID | grep -q " $ADMIN_ROLE "; then
             echo "Creating user-role assignment for user $NAME, role admin, tenant admin"
-            keystone user-role-add $DEBUG \
-                --tenant-id $ADMIN_TENANT \
-                --user-id $USER_ID \
-                --role-id $ADMIN_ROLE
+            openstack role add $DEBUG \
+                --project $ADMIN_TENANT \
+                --user $USER_ID \
+                $ADMIN_ROLE
             #swift polling requires ResellerAdmin role to be added to the Ceilometer user
-            RESELLER_ADMIN_ROLE=$(keystone $DEBUG role-list | awk '/ ResellerAdmin / {print $2}')
-            keystone user-role-add $DEBUG \
-                --tenant-id $ADMIN_TENANT \
-                --user-id $USER_ID \
-                --role-id $RESELLER_ADMIN_ROLE
+            RESELLER_ADMIN_ROLE=$(openstack $DEBUG role list | awk '/ ResellerAdmin / {print $2}')
+            openstack role add $DEBUG \
+                --project $ADMIN_TENANT \
+                --user $USER_ID \
+                $RESELLER_ADMIN_ROLE
         fi
     fi
 
 fi
-SERVICE_ID=$(keystone $DEBUG service-create --name=$NAME --type=$TYPE "$DESCRIPTION" | awk '/ id / {print $4}')
-keystone endpoint-create $DEBUG --region "$REGION" --service-id $SERVICE_ID \
+SERVICE_ID=$(openstack $DEBUG service create --name $NAME "$DESCRIPTION" $TYPE | awk '/ id / {print $4}')
+openstack endpoint create $DEBUG \
     --publicurl   "${PUBLIC_URL}${SUFFIX}" \
     --adminurl    "${ADMIN_URL}${ADMIN_SUFFIX}" \
-    --internalurl "${INTERNAL_URL}${SUFFIX}"
+    --internalurl "${INTERNAL_URL}${SUFFIX}"  --region "$REGION" $SERVICE_ID
 echo "Service $TYPE created"