diff --git a/modules/iam-user/README.md b/modules/iam-user/README.md
index dda5ce3e..33bf12de 100644
--- a/modules/iam-user/README.md
+++ b/modules/iam-user/README.md
@@ -33,6 +33,9 @@ This module outputs commands and PGP messages which can be decrypted either usin
 | password_reset_required | Whether the user should be forced to reset the generated password on first login. | string | `true` | no |
 | path | Desired path for the IAM user | string | `/` | no |
 | pgp_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `` | no |
+| ssh_key_encoding | Which encoding format the uploaded SSH key is in. `SSH` for ssh-rsa or `PEM` for pem. | string | `SSH` | no |
+| ssh_public_key | Public key that is to be attached to this IAM account | string | - | no |
+| upload_ssh_key | Whether to upload and manage users public SSH key. | string | `false` | no |
 
 ## Outputs
 
@@ -48,6 +51,7 @@ This module outputs commands and PGP messages which can be decrypted either usin
 | this_iam_access_key_key_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
 | this_iam_access_key_ses_smtp_password | The secret access key converted into an SES SMTP password |
 | this_iam_access_key_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
+| this_iam_ssh_public_key_id | The AWS ID for the public key |
 | this_iam_user_arn | The ARN assigned by AWS for this user |
 | this_iam_user_login_profile_encrypted_password | The encrypted password, base64 encoded |
 | this_iam_user_login_profile_key_fingerprint | The fingerprint of the PGP key used to encrypt the password |
diff --git a/modules/iam-user/main.tf b/modules/iam-user/main.tf
index cdc7dab4..89163671 100644
--- a/modules/iam-user/main.tf
+++ b/modules/iam-user/main.tf
@@ -21,3 +21,11 @@ resource "aws_iam_access_key" "this" {
   user    = "${aws_iam_user.this.name}"
   pgp_key = "${var.pgp_key}"
 }
+
+resource "aws_iam_user_ssh_key" "this" {
+  count = "${var.upload_ssh_key}"
+
+  username = "${aws_iam_user.this.name}"
+  encoding = "${var.ssh_key_encoding}"
+  public_key = "${var.ssh_public_key}"
+}
\ No newline at end of file
diff --git a/modules/iam-user/outputs.tf b/modules/iam-user/outputs.tf
index a6cc529f..818177a3 100644
--- a/modules/iam-user/outputs.tf
+++ b/modules/iam-user/outputs.tf
@@ -86,3 +86,7 @@ ${element(concat(aws_iam_access_key.this.*.encrypted_secret, list("")), 0)}
 -----END PGP MESSAGE-----
 EOF
 }
+
+output "this_iam_ssh_public_key_id" {
+  value = "SSH Key ID: ${element(concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, list("")), 0)}"
+}
\ No newline at end of file
diff --git a/modules/iam-user/variables.tf b/modules/iam-user/variables.tf
index 2fbb8f7e..c8699d6e 100644
--- a/modules/iam-user/variables.tf
+++ b/modules/iam-user/variables.tf
@@ -41,3 +41,16 @@ variable "password_length" {
   description = "The length of the generated password"
   default     = 20
 }
+
+variable "upload_ssh_key" {
+  description = "Whether to upload a public ssh key to the IAM user"
+  default     = false
+}
+variable "ssh_key_encoding" {
+  description = "Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM"
+  default = "SSH"
+}
+
+variable "ssh_public_key" {
+  description = "Public SSH key"
+}