diff --git a/README.md b/README.md
index 98722d0..2b2d4be 100644
--- a/README.md
+++ b/README.md
@@ -61,7 +61,9 @@ _The Hetzner cli `hcloud` is also useful to have, mainly for debugging without h
 ### 💡 [Do not skip] Creating the terraform.tfvars file
 
 1. Create a project in your [Hetzner Cloud Console](https://console.hetzner.cloud/), and go to **Security > API Tokens** of that project to grab the API key. Take note of the key! ✅
-2. Generate an ssh key pair for your cluster, unless you already have one that you'd like to use (ed25519 is the ideal type). Take note of the respective paths of your private and public keys! ✅
+2. Either...
+  ...generate an ssh key pair for your cluster, unless you already have one that you'd like to use (ed25519 is the ideal type). Take note of the respective paths of your private and public keys! ✅
+  ...or make sure you have got an SSH agent running and your key is loaded (`ssh-add -L` to verify) and set `private_key = null` ✅
 3. Copy `terraform.tfvars.example` to `terraform.tfvars`, and replace the values from steps 1 and 2. ✅
 4. (Optional) There are other variables in `terraform.tfvars` that could be customized, like Hetzner region, and the node counts and sizes.
 
diff --git a/agents.tf b/agents.tf
index 8ca5cc7..3ec7d14 100644
--- a/agents.tf
+++ b/agents.tf
@@ -27,9 +27,10 @@ resource "hcloud_server" "agents" {
     destination = "/tmp/config.yaml"
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }
 
@@ -38,9 +39,10 @@ resource "hcloud_server" "agents" {
     inline = local.k3os_install_commands
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }
 
diff --git a/locals.tf b/locals.tf
index 5a4dbe4..4efec23 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,7 +1,15 @@
 locals {
   first_control_plane_network_ip = cidrhost(hcloud_network.k3s.ip_range, 2)
-  ssh_public_key                 = trimspace(file(var.public_key))
   hcloud_image_name              = "ubuntu-20.04"
+  ssh_public_key                 = trimspace(file(var.public_key))
+  # ssh_private_key is either the contents of var.private_key or null to use a ssh agent.
+  ssh_private_key = var.private_key == null ? null : trimspace(file(var.private_key))
+  # ssh_identity is not set if the private key is passed directly, but if ssh agent is used, the public key tells ssh agent which private key to use.
+  # For terraforms provisioner.connection.agent_identity, we need the public key as a string.
+  ssh_identity = var.private_key == null ? local.ssh_public_key : null
+  # ssh_identity_file is used for ssh "-i" flag, its the private key if that is set, or a public key file
+  # if an ssh agent is used.
+  ssh_identity_file = var.private_key == null ? var.public_key : var.private_key
 
   k3os_install_commands = [
     "apt install -y grub-efi grub-pc-bin mtools xorriso",
diff --git a/master.tf b/master.tf
index 8da0368..561e1ab 100644
--- a/master.tf
+++ b/master.tf
@@ -23,9 +23,10 @@ resource "hcloud_server" "first_control_plane" {
     destination = "/tmp/config.yaml"
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }
 
@@ -34,16 +35,17 @@ resource "hcloud_server" "first_control_plane" {
     inline = local.k3os_install_commands
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }
 
   # Wait for k3os to be ready and fetch kubeconfig.yaml
   provisioner "local-exec" {
     command = <<-EOT
-      sleep 60 && ping ${self.ipv4_address} | grep --line-buffered "bytes from" | head -1 && sleep 100 && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${var.private_key} rancher@${self.ipv4_address}:/etc/rancher/k3s/k3s.yaml ${path.module}/kubeconfig.yaml
+      sleep 60 && ping ${self.ipv4_address} | grep --line-buffered "bytes from" | head -1 && sleep 100 && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ${local.ssh_identity_file} rancher@${self.ipv4_address}:/etc/rancher/k3s/k3s.yaml ${path.module}/kubeconfig.yaml
       sed -i -e 's/127.0.0.1/${self.ipv4_address}/g' ${path.module}/kubeconfig.yaml
     EOT
   }
diff --git a/servers.tf b/servers.tf
index 1510017..ba31ff3 100644
--- a/servers.tf
+++ b/servers.tf
@@ -26,9 +26,10 @@ resource "hcloud_server" "control_planes" {
     destination = "/tmp/config.yaml"
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }
 
@@ -37,9 +38,10 @@ resource "hcloud_server" "control_planes" {
     inline = local.k3os_install_commands
 
     connection {
-      user        = "root"
-      private_key = file(var.private_key)
-      host        = self.ipv4_address
+      user           = "root"
+      private_key    = local.ssh_private_key
+      agent_identity = local.ssh_identity
+      host           = self.ipv4_address
     }
   }