diff --git a/CHANGELOG.md b/CHANGELOG.md
index 517750d27..469a67d7a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ FEATURES:
 IMPROVEMENTS:
 
   * core: Improve message to list only resources which will be destroyed when using `--target` [GH-3859]
+  * connection/ssh: accept private_key contents instead of paths [GH-3846]
   * provider/google: preemptible option for instance_template [GH-3667]
   * provider/google: Accurate Terraform Version [GH-3554]
   * provider/google: Simplified auth (DefaultClient support) [GH-3553]
diff --git a/communicator/ssh/communicator.go b/communicator/ssh/communicator.go
index 14f356358..d37d6757b 100644
--- a/communicator/ssh/communicator.go
+++ b/communicator/ssh/communicator.go
@@ -93,7 +93,7 @@ func (c *Communicator) Connect(o terraform.UIOutput) (err error) {
 				"  SSH Agent: %t",
 			c.connInfo.Host, c.connInfo.User,
 			c.connInfo.Password != "",
-			c.connInfo.KeyFile != "",
+			c.connInfo.PrivateKey != "",
 			c.connInfo.Agent,
 		))
 
@@ -107,7 +107,7 @@ func (c *Communicator) Connect(o terraform.UIOutput) (err error) {
 					"  SSH Agent: %t",
 				c.connInfo.BastionHost, c.connInfo.BastionUser,
 				c.connInfo.BastionPassword != "",
-				c.connInfo.BastionKeyFile != "",
+				c.connInfo.BastionPrivateKey != "",
 				c.connInfo.Agent,
 			))
 		}
diff --git a/communicator/ssh/provisioner.go b/communicator/ssh/provisioner.go
index 813db5728..f9f889037 100644
--- a/communicator/ssh/provisioner.go
+++ b/communicator/ssh/provisioner.go
@@ -3,14 +3,13 @@ package ssh
 import (
 	"encoding/pem"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"net"
 	"os"
 	"time"
 
+	"github.com/hashicorp/terraform/helper/pathorcontents"
 	"github.com/hashicorp/terraform/terraform"
-	"github.com/mitchellh/go-homedir"
 	"github.com/mitchellh/mapstructure"
 	"golang.org/x/crypto/ssh"
 	"golang.org/x/crypto/ssh/agent"
@@ -37,7 +36,7 @@ const (
 type connectionInfo struct {
 	User       string
 	Password   string
-	KeyFile    string `mapstructure:"key_file"`
+	PrivateKey string `mapstructure:"private_key"`
 	Host       string
 	Port       int
 	Agent      bool
@@ -45,11 +44,15 @@ type connectionInfo struct {
 	ScriptPath string        `mapstructure:"script_path"`
 	TimeoutVal time.Duration `mapstructure:"-"`
 
-	BastionUser     string `mapstructure:"bastion_user"`
-	BastionPassword string `mapstructure:"bastion_password"`
-	BastionKeyFile  string `mapstructure:"bastion_key_file"`
-	BastionHost     string `mapstructure:"bastion_host"`
-	BastionPort     int    `mapstructure:"bastion_port"`
+	BastionUser       string `mapstructure:"bastion_user"`
+	BastionPassword   string `mapstructure:"bastion_password"`
+	BastionPrivateKey string `mapstructure:"bastion_private_key"`
+	BastionHost       string `mapstructure:"bastion_host"`
+	BastionPort       int    `mapstructure:"bastion_port"`
+
+	// Deprecated
+	KeyFile        string `mapstructure:"key_file"`
+	BastionKeyFile string `mapstructure:"bastion_key_file"`
 }
 
 // parseConnectionInfo is used to convert the ConnInfo of the InstanceState into
@@ -92,6 +95,15 @@ func parseConnectionInfo(s *terraform.InstanceState) (*connectionInfo, error) {
 		connInfo.TimeoutVal = DefaultTimeout
 	}
 
+	// Load deprecated fields; we can handle either path or contents in
+	// underlying implementation.
+	if connInfo.PrivateKey == "" && connInfo.KeyFile != "" {
+		connInfo.PrivateKey = connInfo.KeyFile
+	}
+	if connInfo.BastionPrivateKey == "" && connInfo.BastionKeyFile != "" {
+		connInfo.BastionPrivateKey = connInfo.BastionKeyFile
+	}
+
 	// Default all bastion config attrs to their non-bastion counterparts
 	if connInfo.BastionHost != "" {
 		if connInfo.BastionUser == "" {
@@ -100,8 +112,8 @@ func parseConnectionInfo(s *terraform.InstanceState) (*connectionInfo, error) {
 		if connInfo.BastionPassword == "" {
 			connInfo.BastionPassword = connInfo.Password
 		}
-		if connInfo.BastionKeyFile == "" {
-			connInfo.BastionKeyFile = connInfo.KeyFile
+		if connInfo.BastionPrivateKey == "" {
+			connInfo.BastionPrivateKey = connInfo.PrivateKey
 		}
 		if connInfo.BastionPort == 0 {
 			connInfo.BastionPort = connInfo.Port
@@ -130,10 +142,10 @@ func prepareSSHConfig(connInfo *connectionInfo) (*sshConfig, error) {
 	}
 
 	sshConf, err := buildSSHClientConfig(sshClientConfigOpts{
-		user:     connInfo.User,
-		keyFile:  connInfo.KeyFile,
-		password: connInfo.Password,
-		sshAgent: sshAgent,
+		user:       connInfo.User,
+		privateKey: connInfo.PrivateKey,
+		password:   connInfo.Password,
+		sshAgent:   sshAgent,
 	})
 	if err != nil {
 		return nil, err
@@ -142,10 +154,10 @@ func prepareSSHConfig(connInfo *connectionInfo) (*sshConfig, error) {
 	var bastionConf *ssh.ClientConfig
 	if connInfo.BastionHost != "" {
 		bastionConf, err = buildSSHClientConfig(sshClientConfigOpts{
-			user:     connInfo.BastionUser,
-			keyFile:  connInfo.BastionKeyFile,
-			password: connInfo.BastionPassword,
-			sshAgent: sshAgent,
+			user:       connInfo.BastionUser,
+			privateKey: connInfo.BastionPrivateKey,
+			password:   connInfo.BastionPassword,
+			sshAgent:   sshAgent,
 		})
 		if err != nil {
 			return nil, err
@@ -169,10 +181,10 @@ func prepareSSHConfig(connInfo *connectionInfo) (*sshConfig, error) {
 }
 
 type sshClientConfigOpts struct {
-	keyFile  string
-	password string
-	sshAgent *sshAgent
-	user     string
+	privateKey string
+	password   string
+	sshAgent   *sshAgent
+	user       string
 }
 
 func buildSSHClientConfig(opts sshClientConfigOpts) (*ssh.ClientConfig, error) {
@@ -180,8 +192,8 @@ func buildSSHClientConfig(opts sshClientConfigOpts) (*ssh.ClientConfig, error) {
 		User: opts.user,
 	}
 
-	if opts.keyFile != "" {
-		pubKeyAuth, err := readPublicKeyFromPath(opts.keyFile)
+	if opts.privateKey != "" {
+		pubKeyAuth, err := readPrivateKey(opts.privateKey)
 		if err != nil {
 			return nil, err
 		}
@@ -201,31 +213,27 @@ func buildSSHClientConfig(opts sshClientConfigOpts) (*ssh.ClientConfig, error) {
 	return conf, nil
 }
 
-func readPublicKeyFromPath(path string) (ssh.AuthMethod, error) {
-	fullPath, err := homedir.Expand(path)
+func readPrivateKey(pk string) (ssh.AuthMethod, error) {
+	key, _, err := pathorcontents.Read(pk)
 	if err != nil {
-		return nil, fmt.Errorf("Failed to expand home directory: %s", err)
-	}
-	key, err := ioutil.ReadFile(fullPath)
-	if err != nil {
-		return nil, fmt.Errorf("Failed to read key file %q: %s", path, err)
+		return nil, fmt.Errorf("Failed to read private key %q: %s", pk, err)
 	}
 
 	// We parse the private key on our own first so that we can
 	// show a nicer error if the private key has a password.
-	block, _ := pem.Decode(key)
+	block, _ := pem.Decode([]byte(key))
 	if block == nil {
-		return nil, fmt.Errorf("Failed to read key %q: no key found", path)
+		return nil, fmt.Errorf("Failed to read key %q: no key found", pk)
 	}
 	if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
 		return nil, fmt.Errorf(
 			"Failed to read key %q: password protected keys are\n"+
-				"not supported. Please decrypt the key prior to use.", path)
+				"not supported. Please decrypt the key prior to use.", pk)
 	}
 
-	signer, err := ssh.ParsePrivateKey(key)
+	signer, err := ssh.ParsePrivateKey([]byte(key))
 	if err != nil {
-		return nil, fmt.Errorf("Failed to parse key file %q: %s", path, err)
+		return nil, fmt.Errorf("Failed to parse key file %q: %s", pk, err)
 	}
 
 	return ssh.PublicKeys(signer), nil
diff --git a/communicator/ssh/provisioner_test.go b/communicator/ssh/provisioner_test.go
index fc6b686fb..aa029dad8 100644
--- a/communicator/ssh/provisioner_test.go
+++ b/communicator/ssh/provisioner_test.go
@@ -10,13 +10,13 @@ func TestProvisioner_connInfo(t *testing.T) {
 	r := &terraform.InstanceState{
 		Ephemeral: terraform.EphemeralState{
 			ConnInfo: map[string]string{
-				"type":     "ssh",
-				"user":     "root",
-				"password": "supersecret",
-				"key_file": "/my/key/file.pem",
-				"host":     "127.0.0.1",
-				"port":     "22",
-				"timeout":  "30s",
+				"type":        "ssh",
+				"user":        "root",
+				"password":    "supersecret",
+				"private_key": "someprivatekeycontents",
+				"host":        "127.0.0.1",
+				"port":        "22",
+				"timeout":     "30s",
 
 				"bastion_host": "127.0.1.1",
 			},
@@ -34,7 +34,7 @@ func TestProvisioner_connInfo(t *testing.T) {
 	if conf.Password != "supersecret" {
 		t.Fatalf("bad: %v", conf)
 	}
-	if conf.KeyFile != "/my/key/file.pem" {
+	if conf.PrivateKey != "someprivatekeycontents" {
 		t.Fatalf("bad: %v", conf)
 	}
 	if conf.Host != "127.0.0.1" {
@@ -61,7 +61,31 @@ func TestProvisioner_connInfo(t *testing.T) {
 	if conf.BastionPassword != "supersecret" {
 		t.Fatalf("bad: %v", conf)
 	}
-	if conf.BastionKeyFile != "/my/key/file.pem" {
+	if conf.BastionPrivateKey != "someprivatekeycontents" {
+		t.Fatalf("bad: %v", conf)
+	}
+}
+
+func TestProvisioner_connInfoLegacy(t *testing.T) {
+	r := &terraform.InstanceState{
+		Ephemeral: terraform.EphemeralState{
+			ConnInfo: map[string]string{
+				"type":         "ssh",
+				"key_file":     "/my/key/file.pem",
+				"bastion_host": "127.0.1.1",
+			},
+		},
+	}
+
+	conf, err := parseConnectionInfo(r)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if conf.PrivateKey != "/my/key/file.pem" {
+		t.Fatalf("bad: %v", conf)
+	}
+	if conf.BastionPrivateKey != "/my/key/file.pem" {
 		t.Fatalf("bad: %v", conf)
 	}
 }
diff --git a/helper/pathorcontents/read.go b/helper/pathorcontents/read.go
new file mode 100644
index 000000000..d0d4847da
--- /dev/null
+++ b/helper/pathorcontents/read.go
@@ -0,0 +1,40 @@
+// Helpers for dealing with file paths and their contents
+package pathorcontents
+
+import (
+	"io/ioutil"
+	"os"
+
+	"github.com/mitchellh/go-homedir"
+)
+
+// If the argument is a path, Read loads it and returns the contents,
+// otherwise the argument is assumed to be the desired contents and is simply
+// returned.
+//
+// The boolean second return value can be called `wasPath` - it indicates if a
+// path was detected and a file loaded.
+func Read(poc string) (string, bool, error) {
+	if len(poc) == 0 {
+		return poc, false, nil
+	}
+
+	path := poc
+	if path[0] == '~' {
+		var err error
+		path, err = homedir.Expand(path)
+		if err != nil {
+			return path, true, err
+		}
+	}
+
+	if _, err := os.Stat(path); err == nil {
+		contents, err := ioutil.ReadFile(path)
+		if err != nil {
+			return string(contents), true, err
+		}
+		return string(contents), true, nil
+	}
+
+	return poc, false, nil
+}
diff --git a/helper/pathorcontents/read_test.go b/helper/pathorcontents/read_test.go
new file mode 100644
index 000000000..8313894ea
--- /dev/null
+++ b/helper/pathorcontents/read_test.go
@@ -0,0 +1,140 @@
+package pathorcontents
+
+import (
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/mitchellh/go-homedir"
+)
+
+func TestRead_Path(t *testing.T) {
+	isPath := true
+	f, cleanup := testTempFile(t)
+	defer cleanup()
+
+	if _, err := io.WriteString(f, "foobar"); err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	f.Close()
+
+	contents, wasPath, err := Read(f.Name())
+
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if wasPath != isPath {
+		t.Fatalf("expected wasPath: %t, got %t", isPath, wasPath)
+	}
+	if contents != "foobar" {
+		t.Fatalf("expected contents %s, got %s", "foobar", contents)
+	}
+}
+
+func TestRead_TildePath(t *testing.T) {
+	isPath := true
+	home, err := homedir.Dir()
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	f, cleanup := testTempFile(t, home)
+	defer cleanup()
+
+	if _, err := io.WriteString(f, "foobar"); err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	f.Close()
+
+	r := strings.NewReplacer(home, "~")
+	homePath := r.Replace(f.Name())
+	contents, wasPath, err := Read(homePath)
+
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if wasPath != isPath {
+		t.Fatalf("expected wasPath: %t, got %t", isPath, wasPath)
+	}
+	if contents != "foobar" {
+		t.Fatalf("expected contents %s, got %s", "foobar", contents)
+	}
+}
+
+func TestRead_PathNoPermission(t *testing.T) {
+	isPath := true
+	f, cleanup := testTempFile(t)
+	defer cleanup()
+
+	if _, err := io.WriteString(f, "foobar"); err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	f.Close()
+
+	if err := os.Chmod(f.Name(), 0); err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	contents, wasPath, err := Read(f.Name())
+
+	if err == nil {
+		t.Fatal("Expected error, got none!")
+	}
+	if wasPath != isPath {
+		t.Fatalf("expected wasPath: %t, got %t", isPath, wasPath)
+	}
+	if contents != "" {
+		t.Fatalf("expected contents %s, got %s", "", contents)
+	}
+}
+
+func TestRead_Contents(t *testing.T) {
+	isPath := false
+	input := "hello"
+
+	contents, wasPath, err := Read(input)
+
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if wasPath != isPath {
+		t.Fatalf("expected wasPath: %t, got %t", isPath, wasPath)
+	}
+	if contents != input {
+		t.Fatalf("expected contents %s, got %s", input, contents)
+	}
+}
+
+func TestRead_TildeContents(t *testing.T) {
+	isPath := false
+	input := "~/hello/notafile"
+
+	contents, wasPath, err := Read(input)
+
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if wasPath != isPath {
+		t.Fatalf("expected wasPath: %t, got %t", isPath, wasPath)
+	}
+	if contents != input {
+		t.Fatalf("expected contents %s, got %s", input, contents)
+	}
+}
+
+// Returns an open tempfile based at baseDir and a function to clean it up.
+func testTempFile(t *testing.T, baseDir ...string) (*os.File, func()) {
+	base := ""
+	if len(baseDir) == 1 {
+		base = baseDir[0]
+	}
+	f, err := ioutil.TempFile(base, "tf")
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	return f, func() {
+		os.Remove(f.Name())
+	}
+}
diff --git a/website/source/docs/provisioners/connection.html.markdown b/website/source/docs/provisioners/connection.html.markdown
index 6efd73e83..83fa8ebb4 100644
--- a/website/source/docs/provisioners/connection.html.markdown
+++ b/website/source/docs/provisioners/connection.html.markdown
@@ -68,8 +68,10 @@ provisioner "file" {
 
 **Additional arguments only supported by the "ssh" connection type:**
 
-* `key_file` - The SSH key to use for the connection. This takes preference over the
-  password if provided.
+* `private_key` - The contents of an SSH key to use for the connection. These can
+  be loaded from a file on disk using the [`file()` interpolation
+  function](/docs/configuration/interpolation.html#file_path_). This takes
+  preference over the password if provided.
 
 * `agent` - Set to false to disable using ssh-agent to authenticate.
 
@@ -99,5 +101,22 @@ The `ssh` connection additionally supports the following fields to facilitate a
 * `bastion_password` - The password we should use for the bastion host.
   Defaults to the value of `password`.
 
-* `bastion_key_file` - The SSH key to use for the bastion host. Defaults to the
-  value of `key_file`.
+* `bastion_private_key` - The contents of an SSH key file to use for the bastion
+  host. These can be loaded from a file on disk using the [`file()`
+  interpolation function](/docs/configuration/interpolation.html#file_path_).
+  Defaults to the value of `private_key`.
+
+## Deprecations
+
+These are supported for backwards compatibility and may be removed in a
+future version:
+
+* `key_file` - A path to or the contents of an SSH key to use for the
+  connection. These can be loaded from a file on disk using the [`file()`
+  interpolation function](/docs/configuration/interpolation.html#file_path_).
+  This takes preference over the password if provided.
+
+* `bastion_key_file` - The contents of an SSH key file to use for the bastion
+  host. These can be loaded from a file on disk using the [`file()`
+  interpolation function](/docs/configuration/interpolation.html#file_path_).
+  Defaults to the value of `key_file`.