diff --git a/zaza/openstack/charm_tests/keystone/tests.py b/zaza/openstack/charm_tests/keystone/tests.py
index 8fd06e3..49a2447 100644
--- a/zaza/openstack/charm_tests/keystone/tests.py
+++ b/zaza/openstack/charm_tests/keystone/tests.py
@@ -14,6 +14,7 @@
 
 """Encapsulate keystone testing."""
 import collections
+import configparser
 import json
 import logging
 import pprint
@@ -191,6 +192,56 @@ class CharmOperationTest(BaseKeystoneTest):
         new_passwd = juju_utils.leader_get(self.application_name, ADMIN_PASSWD)
         assert old_passwd != new_passwd
 
+    def test_rotate_service_user_password(self):
+        """Verify action used to rotate a service user (glance) password."""
+        GLANCE_PASSWD_KEY = "glance_passwd"
+        GLANCE_APP = "glance"
+        GLANCE_CONF_FILE = '/etc/glance/glance-api.conf'
+
+        def _get_password_from_leader():
+            conf = zaza.model.file_contents('glance/leader', GLANCE_CONF_FILE)
+            config = configparser.ConfigParser()
+            config.read_string(conf)
+            return config['keystone_authtoken']['password'].strip()
+
+        # Only do the test if glance is in the model.
+        applications = zaza.model.sync_deployed(self.model_name)
+        if GLANCE_APP not in applications:
+            self.skipTest(
+                '{} is not deployed, so not doing password change'
+                .format(GLANCE_APP))
+        # keep the old password to verify it is changed.
+        old_passwd_leader_storage = juju_utils.leader_get(
+            self.application_name, GLANCE_PASSWD_KEY)
+        old_passwd_conf = _get_password_from_leader()
+
+        # verify that images can be listed.
+        glance_client = openstack_utils.get_glance_session_client(
+            self.admin_keystone_session)
+        glance_client.images.list()
+
+        # run the action to rotate the password.
+        zaza.model.run_action_on_leader(
+            self.application_name,
+            'rotate-service-user-password',
+            action_params={'service-user': 'glance'},
+        )
+
+        # verify that the password has changed
+        new_passwd_leader_storage = juju_utils.leader_get(
+            self.application_name, GLANCE_PASSWD_KEY)
+        new_passwd_conf = _get_password_from_leader()
+        self.assertNotEqual(old_passwd_leader_storage,
+                            new_passwd_leader_storage)
+        self.assertNotEqual(old_passwd_conf,
+                            new_passwd_conf)
+        self.assertEqual(new_passwd_leader_storage, new_passwd_conf)
+
+        # verify that the images can still be listed.
+        glance_client = openstack_utils.get_glance_session_client(
+            self.admin_keystone_session)
+        glance_client.images.list()
+
 
 class AuthenticationAuthorizationTest(BaseKeystoneTest):
     """Keystone authentication and authorization tests."""