diff --git a/docker/common/heat/heat-base/config-heat.sh b/docker/common/heat/heat-base/config-heat.sh
index 449fbd9980..9275e5645a 100755
--- a/docker/common/heat/heat-base/config-heat.sh
+++ b/docker/common/heat/heat-base/config-heat.sh
@@ -17,7 +17,8 @@ set -e
 check_required_vars HEAT_DB_PASSWORD HEAT_KEYSTONE_PASSWORD \
                     HEAT_API_CFN_URL_HOST HEAT_API_CFN_SERVICE_PORT \
                     KEYSTONE_PUBLIC_SERVICE_HOST KEYSTONE_PUBLIC_SERVICE_PORT \
-                    RABBITMQ_SERVICE_HOST MARIADB_SERVICE_HOST
+                    RABBITMQ_SERVICE_HOST MARIADB_SERVICE_HOST \
+                    HEAT_DOMAIN_PASS
 
 fail_unless_db
 dump_vars
@@ -67,3 +68,10 @@ crudini --set /etc/heat/heat.conf DEFAULT heat_metadata_server_url \
     http://${HEAT_API_CFN_URL_HOST}:${HEAT_API_CFN_SERVICE_PORT}
 crudini --set /etc/heat/heat.conf DEFAULT heat_waitcondition_server_url \
     http://${HEAT_API_CFN_URL_HOST}:${HEAT_API_CFN_SERVICE_PORT}/v1/waitcondition
+
+crudini --set /etc/heat/heat.conf DEFAULT stack_domain_admin \
+    "heat_domain_admin"
+crudini --set /etc/heat/heat.conf DEFAULT stack_domain_admin_password \
+    "${HEAT_DOMAIN_PASS}"
+crudini --set /etc/heat/heat.conf DEFAULT stack_user_domain_name \
+    "heat_user_domain"
diff --git a/docker/common/heat/heat-engine/start.sh b/docker/common/heat/heat-engine/start.sh
index 531b693752..16453a3bed 100755
--- a/docker/common/heat/heat-engine/start.sh
+++ b/docker/common/heat/heat-engine/start.sh
@@ -4,7 +4,7 @@
 . /opt/kolla/config-heat.sh
 
 check_required_vars HEAT_DB_NAME HEAT_DB_USER HEAT_DB_PASSWORD \
-                    INIT_HEAT_DB
+                    INIT_HEAT_DB HEAT_DOMAIN_PASS
 fail_unless_db
 
 if [ "${INIT_HEAT_DB}" == "true" ]; then
@@ -15,6 +15,13 @@ GRANT ALL PRIVILEGES ON ${HEAT_DB_NAME}.* TO
 EOF
 
     /usr/bin/heat-manage db_sync
+
+    # If the database needs to be created, assume keystone-setup is allowed to
+    # run as well.
+    heat-keystone-setup-domain \
+        --stack-user-domain-name heat_user_domain \
+        --stack-domain-admin heat_domain_admin \
+        --stack-domain-admin-password ${HEAT_DOMAIN_PASS}
 fi
 
 exec /usr/bin/heat-engine
diff --git a/docs/integration-guide.md b/docs/integration-guide.md
index 122f028670..884d74f22a 100755
--- a/docs/integration-guide.md
+++ b/docs/integration-guide.md
@@ -112,6 +112,7 @@ all containers.  This allows a simple method of ensuring every type of node
     HEAT_API_SERVICE_HOST=<IP> - The IP Address where the Heat API service is hosted
     HEAT_API_CFN_SERVICE_HOST=<IP> - The IP Address where Heat users will contact the heat-engine in search for meta data
     HEAT_API_CFN_URL_HOST=<IP> - The IP Address where Heat virtual machines will contact the heat-engine to signal wait conditions
+    HEAT_DOMAIN_PASS=<password> - The Heat domain password
     INIT_CINDER_DB=<true|false> - Initialize or update the Cinder db
     INIT_DESIGNATE_DB=<true|false> - Initialize or update the Designate db
     INIT_GLANCE_DB=<true|false> - Initialize or update the Glance db
diff --git a/tools/genenv b/tools/genenv
index b908d951b7..fdb1920001 100755
--- a/tools/genenv
+++ b/tools/genenv
@@ -142,6 +142,7 @@ HEAT_API_SERVICE_HOST=$HOST_IP
 HEAT_API_CFN_SERVICE_HOST=$HOST_IP
 HEAT_API_CFN_SERVICE_PORT=8000
 HEAT_API_CFN_URL_HOST=$HOST_IP
+HEAT_DOMAIN_PASS=$(openssl rand -hex 8)
 
 # Magnum
 MAGNUM_DB_NAME=magnum
@@ -290,6 +291,7 @@ HEAT_API_SERVICE_HOST=$HEAT_API_SERVICE_HOST
 HEAT_API_CFN_SERVICE_HOST=$HEAT_API_CFN_SERVICE_HOST
 HEAT_API_CFN_SERVICE_PORT=$HEAT_API_CFN_SERVICE_PORT
 HEAT_API_CFN_URL_HOST=$HEAT_API_CFN_URL_HOST
+HEAT_DOMAIN_PASS=$HEAT_DOMAIN_PASS
 MAGNUM_DB_NAME=$MAGNUM_DB_NAME
 MAGNUM_DB_PASSWORD=$MAGNUM_DB_PASSWORD
 MAGNUM_KEYSTONE_PASSWORD=$MAGNUM_KEYSTONE_PASSWORD