diff --git a/builder/amazon/common/access_config.go b/builder/amazon/common/access_config.go
index d29845d3d..94c74121a 100644
--- a/builder/amazon/common/access_config.go
+++ b/builder/amazon/common/access_config.go
@@ -18,6 +18,12 @@ import (
 	"github.com/hashicorp/packer/template/interpolate"
 )
 
+type VaultAWSEngineOptions struct {
+	Name    string `mapstructure:"name"`
+	RoleARN string `mapstructure:"role_arn"`
+	TTL     string `mapstructure:"ttl"`
+}
+
 // AccessConfig is for common configuration related to AWS access
 type AccessConfig struct {
 	AccessKey             string `mapstructure:"access_key"`
@@ -32,6 +38,7 @@ type AccessConfig struct {
 	SkipMetadataApiCheck  bool   `mapstructure:"skip_metadata_api_check"`
 	Token                 string `mapstructure:"token"`
 	session               *session.Session
+	VaultAWSEngine        VaultAWSEngineOptions `mapstructure:"vault_aws_engine"`
 
 	getEC2Connection func() ec2iface.EC2API
 }
@@ -44,6 +51,7 @@ func (c *AccessConfig) Session() (*session.Session, error) {
 	}
 
 	config := aws.NewConfig().WithCredentialsChainVerboseErrors(true)
+
 	staticCreds := credentials.NewStaticCredentials(c.AccessKey, c.SecretKey, c.Token)
 	if _, err := staticCreds.Get(); err != credentials.ErrStaticCredentialsEmpty {
 		config.WithCredentials(staticCreds)
@@ -130,6 +138,13 @@ func (c *AccessConfig) Prepare(ctx *interpolate.Context) []error {
 	}
 	// Either both access and secret key must be set or neither of them should
 	// be.
+	if c.VaultAWSEngine != nil {
+		if len(c.AccessKey) > 0 {
+			errs = append(errs,
+				fmt.Errorf("If you have set vault_aws_engine, you must not set"+
+					" the access_key or secret_key."))
+		}
+	}
 	if (len(c.AccessKey) > 0) != (len(c.SecretKey) > 0) {
 		errs = append(errs,
 			fmt.Errorf("`access_key` and `secret_key` must both be either set or not set."))
diff --git a/website/source/docs/builders/amazon-ebs.html.md b/website/source/docs/builders/amazon-ebs.html.md
index 00a19d77c..6d0f180bc 100644
--- a/website/source/docs/builders/amazon-ebs.html.md
+++ b/website/source/docs/builders/amazon-ebs.html.md
@@ -507,7 +507,7 @@ builder.
 -   `user_data_file` (string) - Path to a file that will be used for the user
     data when launching the instance.
 
-- `use_vault_aws_engine` (bool) - Get credentials from Hashicorp Vault's aws
+- `vault_aws_engine` (object) - Get credentials from Hashicorp Vault's aws
   secrets engine. You must already have created a role to use. For more
   information about generating credentials via the Vault engine, see the
   [Vault docs.]
@@ -534,6 +534,16 @@ builder.
       token are eventually consistent, Packer will pause for ten seconds after
       retrieving the credentials before continuing with the build.
 
+    ``` json
+    {
+        "vault_aws_engine": {
+            "name": "myrole"
+            "role_arn": "myarn"
+            "ttl": "3600s"
+        }
+    }
+    ```
+
 -   `vpc_id` (string) - If launching into a VPC subnet, Packer needs the VPC ID
     in order to create a temporary security group within the VPC. Requires
     `subnet_id` to be set. If this field is left blank, Packer will try to get