diff --git a/.github/workflows/stackhpc-build-kayobe-image.yml b/.github/workflows/stackhpc-build-kayobe-image.yml
index cbbac9f71f..e500fd8045 100644
--- a/.github/workflows/stackhpc-build-kayobe-image.yml
+++ b/.github/workflows/stackhpc-build-kayobe-image.yml
@@ -42,7 +42,7 @@ jobs:
   build-kayobe-image:
     name: Build kayobe image
     if: inputs.if || github.repository == 'stackhpc/stackhpc-kayobe-config' && github.event_name == 'push'
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     permissions:
       contents: read
       packages: write
diff --git a/.github/workflows/stackhpc-pull-request.yml b/.github/workflows/stackhpc-pull-request.yml
index ce9243ba2e..ec0ddccfba 100644
--- a/.github/workflows/stackhpc-pull-request.yml
+++ b/.github/workflows/stackhpc-pull-request.yml
@@ -13,7 +13,7 @@ jobs:
   # would skip the workflow entirely, and would prevent us from making the
   # aio jobs required to pass (a skip counts as a pass).
   check-changes:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     permissions:
       pull-requests: read
     name: Check changed files
@@ -32,7 +32,7 @@ jobs:
           filters: .github/path-filters.yml
 
   tox:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     permissions: {}
     strategy:
       matrix:
diff --git a/etc/kayobe/kolla/globals.yml b/etc/kayobe/kolla/globals.yml
index 35cebd7ae0..e84102b92c 100644
--- a/etc/kayobe/kolla/globals.yml
+++ b/etc/kayobe/kolla/globals.yml
@@ -31,6 +31,10 @@ kayobe_image_tags:
     centos: yoga-20240320T082414
     rocky: yoga-20240320T082414
     ubuntu: yoga-20240320T082414
+  keystone:
+    centos: yoga-20251031T085605
+    rocky: yoga-20251031T085605
+    ubuntu: yoga-20251031T133027
   magnum:
     centos: yoga-20240416T102136
     rocky: yoga-20240416T102136
@@ -54,6 +58,7 @@ glance_tag: "{% raw %}{{ kayobe_image_tags['glance'][kolla_base_distro] }}{% end
 grafana_tag: yoga-20240510T114335
 heat_tag: "{% raw %}{{ kayobe_image_tags['heat'][kolla_base_distro] }}{% endraw %}"
 horizon_tag: yoga-20240510T114335
+keystone_tag: "{% raw %}{{ kayobe_image_tags['keystone'][kolla_base_distro] }}{% endraw %}"
 magnum_tag: "{% raw %}{{ kayobe_image_tags['magnum'][kolla_base_distro] }}{% endraw %}"
 neutron_tag: "{% raw %}{{ kayobe_image_tags['neutron'][kolla_base_distro] }}{% endraw %}"
 nova_tag: "{% raw %}{{ kayobe_image_tags['nova'][kolla_base_distro] }}{% endraw %}"
diff --git a/releasenotes/notes/bump-keystone-image-ec2token-b503e2b32e6e50c4.yaml b/releasenotes/notes/bump-keystone-image-ec2token-b503e2b32e6e50c4.yaml
new file mode 100644
index 0000000000..3576d6aaa4
--- /dev/null
+++ b/releasenotes/notes/bump-keystone-image-ec2token-b503e2b32e6e50c4.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Security fixes for `bug 2119646 <https://launchpad.net/bugs/2119646>`__:
+    Unauthenticated access to EC2/S3 token
+    endpoints can grant Keystone authorization.