diff --git a/builder/docker/communicator.go b/builder/docker/communicator.go
index 8a1546ba2..13684b2f8 100644
--- a/builder/docker/communicator.go
+++ b/builder/docker/communicator.go
@@ -27,13 +27,26 @@ type Communicator struct {
 }
 
 func (c *Communicator) Start(remote *packer.RemoteCmd) error {
-	var cmd *exec.Cmd
+	dockerArgs := []string{
+		"exec",
+		"-i",
+		c.ContainerID,
+		"/bin/sh",
+		"-c",
+		fmt.Sprintf("(%s)", remote.Command),
+	}
+
 	if c.Config.Pty {
-		cmd = exec.Command("docker", "exec", "-i", "-t", c.ContainerID, "/bin/sh", "-c", fmt.Sprintf("(%s)", remote.Command))
-	} else {
-		cmd = exec.Command("docker", "exec", "-i", c.ContainerID, "/bin/sh", "-c", fmt.Sprintf("(%s)", remote.Command))
+		dockerArgs = append(dockerArgs[:2], append([]string{"-t"}, dockerArgs[2:]...)...)
 	}
 
+	if c.Config.ExecUser != "" {
+		dockerArgs = append(dockerArgs[:2],
+			append([]string{"-u", c.Config.ExecUser}, dockerArgs[2:]...)...)
+	}
+
+	cmd := exec.Command("docker", dockerArgs...)
+
 	var (
 		stdin_w io.WriteCloser
 		err     error
diff --git a/builder/docker/config.go b/builder/docker/config.go
index 3f8f4d427..89d28c290 100644
--- a/builder/docker/config.go
+++ b/builder/docker/config.go
@@ -23,19 +23,20 @@ type Config struct {
 	common.PackerConfig `mapstructure:",squash"`
 	Comm                communicator.Config `mapstructure:",squash"`
 
+	Author       string
+	Changes      []string
 	Commit       bool
+	ContainerDir string `mapstructure:"container_dir"`
 	Discard      bool
+	ExecUser     string `mapstructure:"exec_user"`
 	ExportPath   string `mapstructure:"export_path"`
 	Image        string
+	Message      string
+	Privileged   bool `mapstructure:"privileged"`
 	Pty          bool
 	Pull         bool
 	RunCommand   []string `mapstructure:"run_command"`
 	Volumes      map[string]string
-	Privileged   bool `mapstructure:"privileged"`
-	Author       string
-	Changes      []string
-	Message      string
-	ContainerDir string `mapstructure:"container_dir"`
 
 	// This is used to login to dockerhub to pull a private base container. For
 	// pushing to dockerhub, see the docker post-processors
diff --git a/website/source/docs/builders/docker.html.md b/website/source/docs/builders/docker.html.md
index 7fab6d09b..a36ff9cb7 100644
--- a/website/source/docs/builders/docker.html.md
+++ b/website/source/docs/builders/docker.html.md
@@ -174,6 +174,10 @@ You must specify (only) one of `commit`, `discard`, or `export_path`.
     `login_password` will be ignored. For more information see the
     [section on ECR](#amazon-ec2-container-registry).
 
+*   `exec_user` (string) - Username or UID (format: <name|uid>[:<group|gid>])
+    to run remote commands with. You may need this if you get permission errors
+    trying to run the `shell` or other  provisioners.
+
 -   `login` (boolean) - Defaults to false. If true, the builder will login in
     order to pull the image. The builder only logs in for the duration of
     the pull. It always logs out afterwards. For log into ECR see `ecr_login`.