diff --git a/lib/ansible/modules/cloud/amazon/ec2_win_password.py b/lib/ansible/modules/cloud/amazon/ec2_win_password.py
index 7fa65fe437..a8139ed08b 100644
--- a/lib/ansible/modules/cloud/amazon/ec2_win_password.py
+++ b/lib/ansible/modules/cloud/amazon/ec2_win_password.py
@@ -27,8 +27,13 @@ options:
     required: true
   key_file:
     description:
-      - Path to the file containing the key pair used on the instance.
-    required: true
+      - Path to the file containing the key pair used on the instance, conflicts with key_data.
+    required: false
+  key_data:
+    version_added: "2.8"
+    description:
+      - Variable that references the private key (usually stored in vault), conflicts with key_file.
+    required: false
   key_passphrase:
     version_added: "2.0"
     description:
@@ -67,6 +72,14 @@ EXAMPLES = '''
     region: us-east-1
     key_file: "~/aws-creds/my_test_key.pem"
 
+# Example of getting a password using a variable
+- name: get the Administrator password
+  ec2_win_password:
+    profile: my-boto-profile
+    instance_id: i-XXXXXX
+    region: us-east-1
+    key_data: "{{ ec2_private_key }}"
+
 # Example of getting a password with a password protected key
 - name: get the Administrator password
   ec2_win_password:
@@ -108,8 +121,9 @@ def main():
     argument_spec = ec2_argument_spec()
     argument_spec.update(dict(
         instance_id=dict(required=True),
-        key_file=dict(required=True, type='path'),
+        key_file=dict(required=False, default=None, type='path'),
         key_passphrase=dict(no_log=True, default=None, required=False),
+        key_data=dict(no_log=True, default=None, required=False),
         wait=dict(type='bool', default=False, required=False),
         wait_timeout=dict(default=120, required=False, type='int'),
     )
@@ -124,6 +138,7 @@ def main():
 
     instance_id = module.params.get('instance_id')
     key_file = module.params.get('key_file')
+    key_data = module.params.get('key_data')
     if module.params.get('key_passphrase') is None:
         b_key_passphrase = None
     else:
@@ -151,16 +166,21 @@ def main():
     if wait and datetime.datetime.now() >= end:
         module.fail_json(msg="wait for password timeout after %d seconds" % wait_timeout)
 
-    try:
-        f = open(key_file, 'rb')
-    except IOError as e:
-        module.fail_json(msg="I/O error (%d) opening key file: %s" % (e.errno, e.strerror))
-    else:
+    if key_file is not None and key_data is None:
         try:
-            with f:
+            with open(key_file, 'rb') as f:
                 key = load_pem_private_key(f.read(), b_key_passphrase, default_backend())
+        except IOError as e:
+            # Handle bad files
+            module.fail_json(msg="I/O error (%d) opening key file: %s" % (e.errno, e.strerror))
         except (ValueError, TypeError) as e:
+            # Handle issues loading key
             module.fail_json(msg="unable to parse key file")
+    elif key_data is not None and key_file is None:
+        try:
+            key = load_pem_private_key(key_data, b_key_passphrase, default_backend())
+        except (ValueError, TypeError) as e:
+            module.fail_json(msg="unable to parse key data")
 
     try:
         decrypted = key.decrypt(decoded, PKCS1v15())