diff --git a/manifests/site.pp b/manifests/site.pp
index ea6abc056b..bb9682e902 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -29,6 +29,8 @@ node 'review.openstack.org' {
     ssh_rsa_pubkey_contents         => hiera('gerrit_ssh_rsa_pubkey_contents'),
     ssh_project_rsa_key_contents    => hiera('gerrit_project_ssh_rsa_key_contents'),
     ssh_project_rsa_pubkey_contents => hiera('gerrit_project_ssh_rsa_pubkey_contents'),
+    ssh_welcome_rsa_key_contents    => hiera('welcome_message_gerrit_ssh_private_key'),
+    ssh_welcome_rsa_pubkey_contents => hiera('welcome_message_gerrit_ssh_public_key'),
     lp_sync_consumer_key            => hiera('gerrit_lp_consumer_key'),
     lp_sync_token                   => hiera('gerrit_lp_access_token'),
     lp_sync_secret                  => hiera('gerrit_lp_access_secret'),
diff --git a/modules/openstack_project/manifests/gerrit.pp b/modules/openstack_project/manifests/gerrit.pp
index 5ab9d31756..7cf5fcafe6 100644
--- a/modules/openstack_project/manifests/gerrit.pp
+++ b/modules/openstack_project/manifests/gerrit.pp
@@ -22,6 +22,8 @@ class openstack_project::gerrit (
   $ssh_rsa_pubkey_contents = '', # If left empty puppet will not create file.
   $ssh_project_rsa_key_contents = '', # If left empty will not create file.
   $ssh_project_rsa_pubkey_contents = '', # If left empty will not create file.
+  $ssh_welcome_rsa_key_contents='', # If left empty will not create file.
+  $ssh_welcome_rsa_pubkey_contents='', # If left empty will not create file.
   $email = '',
   $database_poollimit = '',
   $container_heaplimit = '',
@@ -292,6 +294,28 @@ class openstack_project::gerrit (
     require => Class['::gerrit'],
   }
 
+  if $ssh_welcome_rsa_key_contents != '' {
+    file { '/home/gerrit2/review_site/etc/ssh_welcome_rsa_key':
+      owner   => 'gerrit2',
+      group   => 'gerrit2',
+      mode    => '0600',
+      content => $ssh_welcome_rsa_key_contents,
+      replace => true,
+      require => File['/home/gerrit2/review_site/etc']
+    }
+  }
+
+  if $ssh_welcome_rsa_pubkey_contents != '' {
+    file { '/home/gerrit2/review_site/etc/ssh_welcome_rsa_key.pub':
+      owner   => 'gerrit2',
+      group   => 'gerrit2',
+      mode    => '0644',
+      content => $ssh_welcome_rsa_pubkey_contents,
+      replace => true,
+      require => File['/home/gerrit2/review_site/etc']
+    }
+  }
+
   if ($projects_file != 'UNDEF') {
     if ($replicate_local) {
       file { $local_git_dir:
diff --git a/modules/openstack_project/manifests/review.pp b/modules/openstack_project/manifests/review.pp
index 4457920c77..39e77508a1 100644
--- a/modules/openstack_project/manifests/review.pp
+++ b/modules/openstack_project/manifests/review.pp
@@ -55,6 +55,9 @@ class openstack_project::review (
   # manage-projects's user ssh key.
   $ssh_project_rsa_key_contents='',
   $ssh_project_rsa_pubkey_contents='',
+  # welcome-message's user ssh key.
+  $ssh_welcome_rsa_key_contents='',
+  $ssh_welcome_rsa_pubkey_contents='',
   # To be renamed - they're now just launchpad creds, not lp_sync
   $lp_sync_consumer_key='',
   $lp_sync_token='',
@@ -92,6 +95,8 @@ class openstack_project::review (
     ssh_rsa_pubkey_contents         => $ssh_rsa_pubkey_contents,
     ssh_project_rsa_key_contents    => $ssh_project_rsa_key_contents,
     ssh_project_rsa_pubkey_contents => $ssh_project_rsa_pubkey_contents,
+    ssh_welcome_rsa_key_contents    => $ssh_welcome_rsa_key_contents,
+    ssh_welcome_rsa_pubkey_contents => $ssh_welcome_rsa_pubkey_contents,
     email                           => 'review@openstack.org',
       # 1 + 100 + 9 + 2 + 2 + 25 = 139(rounded up)
     database_poollimit              => '150',
diff --git a/modules/openstack_project/templates/gerrit_patchset-created.erb b/modules/openstack_project/templates/gerrit_patchset-created.erb
index 5d59203307..efdf9de159 100755
--- a/modules/openstack_project/templates/gerrit_patchset-created.erb
+++ b/modules/openstack_project/templates/gerrit_patchset-created.erb
@@ -9,5 +9,8 @@ timeout -k 2m 10m /usr/local/bin/trivial-rebase \
     --whitespace \
     --private-key-path=<%= ssh_host_key %> \
     --role-user=<%= trivial_rebase_role_id %> "$@"
+<% if $ssh_welcome_rsa_key_contents != "" -%>
 timeout -k 2m 10m /usr/local/bin/welcome-message patchset-created --dryrun \
-    welcome-message@review.openstack.org  <%= welcome-message_gerrit_ssh_private_key %> "$@"
+    welcome-message@review.openstack.org \
+    /home/gerrit2/review_site/etc/ssh_welcome_rsa_key "$@"
+<% end -%>