Boto3 - Unable to pass existing key pair value as parameter in cloud formation parameters list


With the help of these two link, I am trying to create/delete the DEV environment using cloud formation and lambda function. I need to call cloud formation code via lambda function but there are parameters and capabilities that need to be pass as input, I have key pair is already created in AWS account, I want to use that value to pass as parameter. I am not able to figure out the existing key pair value to be passed and what will be the value for capabilities section. Request you to please suggest.

Cloud Formation - Create DEV environment with ELB, EC2, Security Group and Configuration Link #1

Automate Cloud Formation - Schedule Cloud Formation using Cloud Watch and Lambda Function Link #2

asked 9 months ago378 views
2 Answers
Accepted Answer


"KeyName" in AWS::EC2::Instance must be the name of the key pair.
For example, if the key pair already created is named "test-key", the CloudFormation template will look like this.

    Type: AWS::EC2::Instance
      AvailabilityZone: us-east-2a
      ImageId: ami-0233c2d874b811deb 
      InstanceType: t2.micro
        - !Ref EC2SecurityGroup
      KeyName: test-key
        Fn::Base64: !Sub |
          yum update -y
          yum install -y httpd
          systemctl start httpd
          systemctl enable httpd
          #echo "<h1>Hello from Region us-east-2a</h1>" > /var/www/html/index.html

If CloudFormation is used to create IAM resources, "CAPABILITY_IAM" must be set in the Capabilities field.
If IAM resources are not created by CloudFormation, "Capabilities" is not necessary and can be deleted.

import boto3
cf = boto3.client('cloudformation')
def lambda_handler(event, context):
    res = cf.create_stack(
                'ParameterKey': 'SecurityGroupDescription',
                'ParameterValue': 'test'
                'ParameterKey': 'KeyName',
                'ParameterValue': 'test-key'
profile picture
answered 9 months ago
profile picture
reviewed 9 months ago
profile pictureAWS
reviewed 9 months ago
  • I am grateful to you, it works well and environment is also get created. I was struggling to find the solution of it since one week. Your expertise helps a lot.



Can I propose something slightly different with some advantages: why don't you use AWS SSM Parameter Store to store your key?


If you consider your parameter as confidential, you can even use AWS Secrets Manager (SM) and have your secret parameter be encrypted by AWS Key Management Service ? See:

The advantages:

  1. your parameter remains encrypted and is not present in any code or other service than SM. So, if you have high compliance requirements, you can better satisfy them.
  2. you can change its value as needed without any impact on your running code and on your Cloudformation stack (no update needed): your Lambda will just read the new value at next execution after update



profile pictureAWS
answered 9 months ago
profile picture
reviewed 9 months ago
profile picture
reviewed 9 months ago
  • I would take this approach into consideration as my this code start working. At moment, I am not able find how we can pass key pair value as parameter in cloud formation parameter.

  • This is also helpful.. I will try this. Thank you for sharing the suggestion.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions