diff --git a/inventory/sample/group_vars/all/openstack.yml b/inventory/sample/group_vars/all/openstack.yml
index 71c392414..a7f86271c 100644
--- a/inventory/sample/group_vars/all/openstack.yml
+++ b/inventory/sample/group_vars/all/openstack.yml
@@ -35,6 +35,13 @@
 #   - ""
 # external_openstack_metadata_search_order: "configDrive,metadataService"
 
+## Application credentials to authenticate against Keystone API
+## Those settings will take precedence over username and password that might be set your environment
+## All of them are required
+# external_openstack_application_credential_name:
+# external_openstack_application_credential_id:
+# external_openstack_application_credential_secret:
+
 ## The tag of the external OpenStack Cloud Controller image
 # external_openstack_cloud_controller_image_tag: "latest"
 
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml
index d46bcb626..9abc927e2 100644
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/openstack-credential-check.yml
@@ -4,24 +4,63 @@
     msg: "external_openstack_auth_url is missing"
   when: external_openstack_auth_url is not defined or not external_openstack_auth_url
 
-- name: External OpenStack Cloud Controller | check external_openstack_username value
+
+- name: External OpenStack Cloud Controller | check external_openstack_username or external_openstack_application_credential_name value
   fail:
-    msg: "external_openstack_username is missing"
-  when: external_openstack_username is not defined or not external_openstack_username
+    msg: "you must either set external_openstack_username or external_openstack_application_credential_name"
+  when:
+    - external_openstack_username is not defined or not external_openstack_username
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_application_credential_id value
+  fail:
+    msg: "external_openstack_application_credential_id is missing"
+  when:
+    - external_openstack_application_credential_name is defined
+    - external_openstack_application_credential_name|length > 0
+    - external_openstack_application_credential_id is not defined or not external_openstack_application_credential_id
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_application_credential_secret value
+  fail:
+    msg: "external_openstack_application_credential_secret is missing"
+  when:
+    - external_openstack_application_credential_name is defined
+    - external_openstack_application_credential_name|length > 0
+    - external_openstack_application_credential_secret is not defined or not external_openstack_application_credential_secret
+
 
 - name: External OpenStack Cloud Controller | check external_openstack_password value
   fail:
     msg: "external_openstack_password is missing"
-  when: external_openstack_password is not defined or not external_openstack_password
+  when:
+    - external_openstack_username is defined
+    - external_openstack_username|length > 0
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+    - external_openstack_application_credential_secret is not defined or not external_openstack_application_credential_secret
+    - external_openstack_password is not defined or not external_openstack_password
+
 
 - name: External OpenStack Cloud Controller | check external_openstack_region value
   fail:
     msg: "external_openstack_region is missing"
   when: external_openstack_region is not defined or not external_openstack_region
 
+
 - name: External OpenStack Cloud Controller | check external_openstack_tenant_id value
   fail:
     msg: "one of external_openstack_tenant_id or external_openstack_tenant_name must be specified"
   when:
-    - (external_openstack_tenant_id is not defined or not external_openstack_tenant_id) and
-      (external_openstack_tenant_name is not defined or not external_openstack_tenant_name)
+    - external_openstack_tenant_id is not defined or not external_openstack_tenant_id
+    - external_openstack_tenant_name is not defined or not external_openstack_tenant_name
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
+
+
+- name: External OpenStack Cloud Controller | check external_openstack_domain_id value
+  fail:
+    msg: "one of external_openstack_domain_id or external_openstack_domain_name must be specified"
+  when:
+    - external_openstack_domain_id is not defined or not external_openstack_domain_id
+    - external_openstack_domain_name is not defined or not external_openstack_domain_name
+    - external_openstack_application_credential_name is not defined or not external_openstack_application_credential_name
diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2
index 25a3ab089..2ccf9f9bd 100644
--- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2
+++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-config.j2
@@ -1,7 +1,18 @@
 [Global]
 auth-url="{{ external_openstack_auth_url }}"
+{% if external_openstack_application_credential_id is not defined and external_openstack_application_credential_name is not defined %}
 username="{{ external_openstack_username }}"
 password="{{ external_openstack_password }}"
+{% endif %}
+{% if external_openstack_application_credential_id is defined and external_openstack_application_credential_id != "" %}
+application-credential-id={{ external_openstack_application_credential_id }}
+{% endif %}
+{% if external_openstack_application_credential_name is defined and external_openstack_application_credential_name != "" %}
+application-credential-name={{ external_openstack_application_credential_name }}
+{% endif %}
+{% if external_openstack_application_credential_secret is defined and external_openstack_application_credential_secret != "" %}
+application-credential-secret={{ external_openstack_application_credential_secret }}
+{% endif %}
 region="{{ external_openstack_region }}"
 {% if external_openstack_tenant_id is defined and external_openstack_tenant_id != "" %}
 tenant-id="{{ external_openstack_tenant_id }}"