diff --git a/cinder/context.py b/cinder/context.py
index e2f627971160..58044bfb2eae 100644
--- a/cinder/context.py
+++ b/cinder/context.py
@@ -19,6 +19,8 @@
 
 import copy
 
+from keystoneauth1 import plugin
+from keystoneauth1.access import service_catalog as ksa_service_catalog
 from oslo_config import cfg
 from oslo_context import context
 from oslo_log import log as logging
@@ -42,6 +44,30 @@ CONF.register_opts(context_opts)
 
 LOG = logging.getLogger(__name__)
 
+class _ContextAuthPlugin(plugin.BaseAuthPlugin):
+    """A keystoneauth auth plugin that uses the values from the Context.
+
+    Ideally we would use the plugin provided by auth_token middleware however
+    this plugin isn't serialized yet so we construct one from the serialized
+    auth data.
+    """
+
+    def __init__(self, auth_token, sc):
+        super(_ContextAuthPlugin, self).__init__()
+
+        self.auth_token = auth_token
+        self.service_catalog = ksa_service_catalog.ServiceCatalogV2(sc)
+
+    def get_token(self, *args, **kwargs):
+        return self.auth_token
+
+    def get_endpoint(self, session, service_type=None, interface=None,
+                     region_name=None, service_name=None, **kwargs):
+        return self.service_catalog.url_for(service_type=service_type,
+                                            service_name=service_name,
+                                            interface=interface,
+                                            region_name=region_name)
+
 
 class RequestContext(context.RequestContext):
     """Security context and request information.
@@ -155,6 +181,10 @@ class RequestContext(context.RequestContext):
     def deepcopy(self):
         return copy.deepcopy(self)
 
+    def get_auth_plugin(self):
+        return _ContextAuthPlugin(self.auth_token, self.service_catalog)
+
+
     # NOTE(sirp): the openstack/common version of RequestContext uses
     # tenant/user whereas the Cinder version uses project_id/user_id.
     # NOTE(adrienverge): The Cinder version of RequestContext now uses
diff --git a/cinder/keymgr/barbican.py b/cinder/keymgr/barbican.py
index ee59cbc5a879..28cf45d4a40f 100644
--- a/cinder/keymgr/barbican.py
+++ b/cinder/keymgr/barbican.py
@@ -101,10 +101,7 @@ class BarbicanKeyManager(key_mgr.KeyManager):
             return self._barbican_client
 
         try:
-            auth = identity.v3.Token(
-                auth_url=CONF.keymgr.encryption_auth_url,
-                token=ctxt.auth_token,
-                project_id=ctxt.project_id)
+            auth = ctxt.get_auth_plugin()
             sess = session.Session(auth=auth)
             self._barbican_client = barbican_client.Client(
                 session=sess,