Boto3 - Unable to pass existing key pair value as parameter in cloud formation parameters list

Question

With the help of these two link, I am trying to create/delete the DEV environment using cloud formation and lambda function. I need to call cloud formation code via lambda function but there are parameters and capabilities that need to be pass as input, I have key pair is already created in AWS account, I want to use that value to pass as parameter. I am not able to figure out the existing key pair value to be passed and what will be the value for capabilities section. 
Request you to please suggest.

Cloud Formation - Create DEV environment with ELB, EC2, Security Group and Configuration
Link #1 
https://dev.classmethod.jp/articles/cloudformation-template-for-creating-ec2-with-load-balancer/

Automate Cloud Formation - Schedule Cloud Formation using Cloud Watch and Lambda Function
Link #2
https://medium.com/@shotin93/how-to-schedule-to-create-aws-cloudformation-stack-861bd1feba7f

Accepted Answer

Hello. "KeyName" in AWS::EC2::Instance must be the name of the key pair. For example, if the key pair already created is named "test-key", the CloudFormation template will look like this. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#aws-properties-ec2-instance--examples ``` EC2Instance1: Type: AWS::EC2::Instance Properties: AvailabilityZone: us-east-2a ImageId: ami-0233c2d874b811deb InstanceType: t2.micro SecurityGroups: - !Ref EC2SecurityGroup KeyName: test-key UserData: Fn::Base64: !Sub | #!/bin/bash yum update -y yum install -y httpd systemctl start httpd systemctl enable httpd #echo "

Hello from Region us-east-2a

" > /var/www/html/index.html ``` If CloudFormation is used to create IAM resources, "CAPABILITY_IAM" must be set in the Capabilities field. If IAM resources are not created by CloudFormation, "Capabilities" is not necessary and can be deleted. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloudformation/client/create_stack.html ``` import boto3 cf = boto3.client('cloudformation') def lambda_handler(event, context): res = cf.create_stack( StackName=('SampleStack'), TemplateURL='https://YourObjectUrl', Parameters=[ { 'ParameterKey': 'SecurityGroupDescription', 'ParameterValue': 'test' }, { 'ParameterKey': 'KeyName', 'ParameterValue': 'test-key' } ], Capabilities=[ 'CAPABILITY_IAM' ] ) ```

Answer

Hi,

Can I propose something slightly different with some advantages: why don't you use AWS SSM Parameter Store to store your key?

See https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html

If you consider your parameter as confidential, you can even use AWS Secrets Manager (SM) and have your secret parameter be encrypted by AWS Key Management Service ?
See: 
* https://aws.amazon.com/secrets-manager/ 
* https://aws.amazon.com/kms/

The advantages:

1. your parameter remains encrypted and is not present in any code or other service than SM. So, if you have high compliance requirements, you can better satisfy them.
2. you can change its value as needed without any impact on your running code and on your Cloudformation stack (no update needed): your Lambda will just read the new value at next execution after update

Best,

Didier

Boto3 - Unable to pass existing key pair value as parameter in cloud formation parameters list

Relevant content