diff --git a/roles/add-authorized-keys/README.rst b/roles/add-authorized-keys/README.rst
new file mode 100644
index 000000000..77ba74e3e
--- /dev/null
+++ b/roles/add-authorized-keys/README.rst
@@ -0,0 +1,36 @@
+Install SSH public key(s) on all hosts
+
+This role is intended to be run at the end of a failed job for which the build
+node set will be held with zuul's `autohold` command.
+
+It copies the public key(s) into the authorized_keys file of every host in the
+inventory, allowing privileged users to access the node set for debugging or
+post-mortem analysis.
+
+Add this stanza at the end of your project's base post playbook to activate this
+functionality:
+
+.. code-block:: yaml
+
+   - hosts: all
+     roles:
+       - role: add-authorized-keys
+         public_keys:
+           - public_key: ssh-rsa AAAAB... venkman@parapsy.columbia.edu
+           - public_key: ssh-rsa AAAAB... spengler@parapsy.columbia.edu
+         when: not zuul_success | bool
+
+.. caution::
+   Including this role earlier in any playbook may allow the keys' owners to
+   tamper with the execution of the jobs. It is strongly advised against doing
+   so.
+
+**Role Variables**
+
+.. zuul:rolevar:: ssh_public_keys
+
+  A list of keys to inject.
+
+  .. zuul:rolevar:: public_key
+
+    A public key to inject into authorized_keys, or a URL to a public key.
diff --git a/roles/add-authorized-keys/tasks/main.yaml b/roles/add-authorized-keys/tasks/main.yaml
new file mode 100644
index 000000000..3abe0fc2b
--- /dev/null
+++ b/roles/add-authorized-keys/tasks/main.yaml
@@ -0,0 +1,7 @@
+- name: Enable access via build key on all nodes
+  authorized_key:
+    user: "{{ ansible_ssh_user }}"
+    state: present
+    key: "{{ item.public_key }}"
+  with_items:
+    - "{{ public_keys }}"