diff --git a/awx/main/models/credential/injectors.py b/awx/main/models/credential/injectors.py
index 9bf7edc4a9..945077851a 100644
--- a/awx/main/models/credential/injectors.py
+++ b/awx/main/models/credential/injectors.py
@@ -1,4 +1,5 @@
 import json
+import yaml
 import os
 import stat
 import tempfile
@@ -62,3 +63,32 @@ def vmware(cred, env, private_data_dir):
     env['VMWARE_PASSWORD'] = cred.get_input('password', default='')
     env['VMWARE_HOST'] = cred.get_input('host', default='')
     env['VMWARE_VALIDATE_CERTS'] = str(settings.VMWARE_VALIDATE_CERTS)
+
+
+def _openstack_data(cred):
+    openstack_auth = dict(auth_url=cred.get_input('host', default=''),
+                          username=cred.get_input('username', default=''),
+                          password=cred.get_input('password', default=''),
+                          project_name=cred.get_input('project', default=''))
+    if cred.has_input('domain'):
+        openstack_auth['domain_name'] = cred.get_input('domain', default='')
+    verify_state = cred.get_input('verify_ssl', default=True)
+    openstack_data = {
+        'clouds': {
+            'devstack': {
+                'auth': openstack_auth,
+                'verify': verify_state,
+            },
+        },
+    }
+    return openstack_data
+
+
+def openstack(cred, env, private_data_dir):
+    handle, path = tempfile.mkstemp(dir=private_data_dir)
+    f = os.fdopen(handle, 'w')
+    openstack_data = _openstack_data(cred)
+    yaml.safe_dump(openstack_data, f, default_flow_style=False, allow_unicode=True)
+    f.close()
+    os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
+    env['OS_CLIENT_CONFIG_FILE'] = path
diff --git a/awx/main/models/inventory.py b/awx/main/models/inventory.py
index 1ab7e28ea9..057c99f325 100644
--- a/awx/main/models/inventory.py
+++ b/awx/main/models/inventory.py
@@ -59,6 +59,7 @@ from awx.main.models.notifications import (
     NotificationTemplate,
     JobNotificationMixin,
 )
+from awx.main.models.credential.injectors import _openstack_data
 from awx.main.utils import _inventory_updates, region_sorting, get_licenser
 
 
@@ -2463,25 +2464,10 @@ class openstack(PluginFileInjector):
     def script_name(self):
         return 'openstack_inventory.py'  # exception
 
-    def _get_clouds_dict(self, inventory_update, credential, private_data_dir, mk_cache=True):
-        openstack_auth = dict(auth_url=credential.get_input('host', default=''),
-                              username=credential.get_input('username', default=''),
-                              password=credential.get_input('password', default=''),
-                              project_name=credential.get_input('project', default=''))
-        if credential.has_input('domain'):
-            openstack_auth['domain_name'] = credential.get_input('domain', default='')
+    def _get_clouds_dict(self, inventory_update, cred, private_data_dir, mk_cache=True):
+        openstack_data = _openstack_data(cred)
 
-        private_state = inventory_update.source_vars_dict.get('private', True)
-        verify_state = credential.get_input('verify_ssl', default=True)
-        openstack_data = {
-            'clouds': {
-                'devstack': {
-                    'private': private_state,
-                    'verify': verify_state,
-                    'auth': openstack_auth,
-                },
-            },
-        }
+        openstack_data['clouds']['devstack']['private'] = inventory_update.source_vars_dict.get('private', True)
         if mk_cache:
             # Retrieve cache path from inventory update vars if available,
             # otherwise create a temporary cache path only for this update.
diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index d7521729b0..52d176e146 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -1340,24 +1340,6 @@ class RunJob(BaseTask):
             if credential.has_input('ssh_public_key_data'):
                 private_data.setdefault('certificates', {})[credential] = credential.get_input('ssh_public_key_data', default='')
 
-            if credential.kind == 'openstack':
-                openstack_auth = dict(auth_url=credential.get_input('host', default=''),
-                                      username=credential.get_input('username', default=''),
-                                      password=credential.get_input('password', default=''),
-                                      project_name=credential.get_input('project', default=''))
-                if credential.has_input('domain'):
-                    openstack_auth['domain_name'] = credential.get_input('domain', default='')
-                verify_state = credential.get_input('verify_ssl', default=True)
-                openstack_data = {
-                    'clouds': {
-                        'devstack': {
-                            'auth': openstack_auth,
-                            'verify': verify_state,
-                        },
-                    },
-                }
-                private_data['credentials'][credential] = yaml.safe_dump(openstack_data, default_flow_style=False, allow_unicode=True)
-
         return private_data
 
     def build_passwords(self, job, runtime_passwords):
@@ -1450,9 +1432,6 @@ class RunJob(BaseTask):
 
         # Set environment variables for cloud credentials.
         cred_files = private_data_files.get('credentials', {})
-        for cloud_cred in job.cloud_credentials:
-            if cloud_cred and cloud_cred.kind == 'openstack':
-                env['OS_CLIENT_CONFIG_FILE'] = cred_files.get(cloud_cred, '')
 
         for network_cred in job.network_credentials:
             env['ANSIBLE_NET_USERNAME'] = network_cred.get_input('username', default='')