The ec2 plugin has code to generate a fingerprint, based on the private key, which matches the one generated by AWS.

This is unreliable as there are two methods by which an ec2 keypair can come to be:

1. Generating and retrieving the private key via the API / console
2. Generating a key locally and importing the public key into ec2 via the API / console

As amazon never have the private key in the second case they cannot generate a fingerprint for it, and it is instead based on the public key. When the ec2 plugin goes to find which ec2 keypair to start instances with based on this fingerprint it will only ever succeed with keypairs generated by amazon.

The ec2 keypair should be instead be specified by name along with the contents of the private key.