diff --git a/README.md b/README.md
index ff9e19d..a1868c5 100644
--- a/README.md
+++ b/README.md
@@ -159,6 +159,34 @@ accounts::users:
           - 'command="/path/to/script.sh arg1 $SSH_ORIGINAL_COMMAND"'
 ```
 
+### SSH key groups
+
+Alternatively to specify the ssh keys for every user, they can be specified in groups in a seperate structure. Those groups can then be included for individual users.
+
+```yaml
+accounts::ssh_key_groups:
+  mykey_group1:
+    mykey1:
+      type: 'ssh-rsa'
+      key: 'AAAA....'
+    mykey2:
+      type: 'ssh-rsa'
+      key: 'AAAA....'
+  mykey_group2:
+    mykey3:
+      type: 'ssh-rsa'
+      key: 'AAAA....'
+
+accounts::users:
+  foo:
+    ssh_key_groups: ['mykey_group1', 'mykey_group2']
+    ssh_keys:
+      'mykey4':
+        type: 'ssh-rsa'
+        key: 'AAAA....'
+```
+
+
 ### Password Management
 
 You can either provide an already hashed password or you can let the module take
diff --git a/manifests/init.pp b/manifests/init.pp
index c51a863..77b59a9 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,13 +1,14 @@
 # Puppet accounts management
 #
 class accounts(
-  Boolean $manage_users  = true,
-  Boolean $manage_groups = true,
-  Hash    $users         = {},
-  Hash    $groups        = {},
-  Hash    $user_defaults = {},
-  Hash    $options       = {},
-  Boolean $use_lookup    = true,
+  Boolean $manage_users   = true,
+  Boolean $manage_groups  = true,
+  Hash    $users          = {},
+  Hash    $groups         = {},
+  Hash    $user_defaults  = {},
+  Hash    $options        = {},
+  Hash    $ssh_key_groups = {},
+  Boolean $use_lookup     = true,
 ) inherits ::accounts::params {
 
   # currently used mainly in tests to turn-off hiera backends
diff --git a/manifests/user.pp b/manifests/user.pp
index 8855750..8d5ffa4 100644
--- a/manifests/user.pp
+++ b/manifests/user.pp
@@ -47,6 +47,7 @@
   Array                              $groups = [],
   Optional[Stdlib::Absolutepath]     $ssh_key_source = undef,
   Hash                               $ssh_keys = {},
+  Array                              $ssh_key_groups = [],
   Boolean                            $purge_ssh_keys = false,
   String                             $shell ='/bin/bash',
   String                             $pwhash = '',
@@ -247,8 +248,16 @@
           }
         }
 
+        $mapped_ssh_keys = $ssh_key_groups.reduce({}) |$memo, $key_group| {
+          if ($key_group in $accounts::ssh_key_groups) {
+            $memo + $accounts::ssh_key_groups[$key_group]
+          } else {
+            fail("Accounts:user ${username}: ssh_key_group ${key_group} does not exist!")
+          }
+        }
+
         accounts::authorized_keys { $username:
-          ssh_keys             => $ssh_keys,
+          ssh_keys             => $mapped_ssh_keys + $ssh_keys,
           ssh_key_source       => $ssh_key_source,
           authorized_keys_file => $authorized_keys_file,
           home_dir             => $home_dir,
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
index 1363e4e..12288b5 100644
--- a/spec/classes/init_spec.rb
+++ b/spec/classes/init_spec.rb
@@ -672,4 +672,70 @@
 
     it_behaves_like 'having_user_account', 'foo'
   end
+
+  context 'ssh_key_groups are defined' do
+    let(:ssh_key_groups) do
+      {
+        'key_group1' =>  {
+          'user1@example.com' => { 'type' => 'ssh-rsa', 'key' => 'user1-key' },
+        },
+        'key_group2' => {
+          'user2@example.com' => { 'type' => 'ssh-rsa', 'key' => 'user2-key' },
+          'user3@example.com' => { 'type' => 'ssh-rsa', 'key' => 'user3-key' },
+        },
+      }
+    end
+
+    describe 'user includes only one ssh key group' do
+      let(:params) do
+        {
+          'ssh_key_groups' => ssh_key_groups,
+          'users' => { 'testuser' => {
+            'managehome' => true,
+            'ssh_key_groups' => ['key_group1']
+          }}
+        }
+      end
+
+      it { is_expected.to contain_ssh_authorized_key('user1@example.com') }
+      it { is_expected.to_not contain_ssh_authorized_key('user2@example.com') }
+      it { is_expected.to_not contain_ssh_authorized_key('user3@example.com') }
+    end
+
+    describe 'user includes multiple ssh key groups' do
+      let(:params) do
+        {
+          'ssh_key_groups' => ssh_key_groups,
+          'users' => { 'testuser' => {
+            'managehome' => true,
+            'ssh_key_groups' => ['key_group1', 'key_group2']
+          }}
+        }
+      end
+
+      it { is_expected.to contain_ssh_authorized_key('user1@example.com') }
+      it { is_expected.to contain_ssh_authorized_key('user2@example.com') }
+      it { is_expected.to contain_ssh_authorized_key('user3@example.com') }
+    end
+
+    describe 'user includes an ssh key group and an individual ssh key' do
+      let(:params) do
+        {
+          'ssh_key_groups' => ssh_key_groups,
+          'users' => { 'testuser' => {
+            'managehome' => true,
+            'ssh_key_groups' => ['key_group1'],
+            'ssh_keys' => {
+              'user4@example.com' => { 'type' => 'ssh-rsa', 'key' => 'user4-key' }
+            }
+          }}
+        }
+      end
+
+      it { is_expected.to contain_ssh_authorized_key('user1@example.com') }
+      it { is_expected.to_not contain_ssh_authorized_key('user2@example.com') }
+      it { is_expected.to_not contain_ssh_authorized_key('user3@example.com') }
+      it { is_expected.to contain_ssh_authorized_key('user4@example.com') }
+    end
+  end
 end