Skip to content
CloudFormation Support for Chef's Knife Command
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Knife CFN

This is a Knife plugin for AWS Cloud Formation. This plugin gives knife the ability to validate, create, describe, and delete stacks.


Be sure you are running the latest version Chef. Versions earlier than 0.10.0 don't support plugins:

gem install chef

This plugin is distributed as a Ruby Gem. To install it, run:

gem install knife-cfn

Depending on your system's configuration, you may need to run this command with root privileges.


In order to communicate with the Amazon's CloudFormation API you will have to tell Knife about your AWS Access Key and Secret Access Key. The easiest way to accomplish this is to create some entries in your knife.rb file:

knife[:aws_access_key_id] = "Your AWS Access Key ID"
knife[:aws_secret_access_key] = "Your AWS Secret Access Key"

If your knife.rb file will be checked into a SCM system (ie readable by others) you may want to read the values from environment variables:

knife[:aws_access_key_id] = ENV['AWS_ACCESS_KEY_ID']
knife[:aws_secret_access_key] = ENV['AWS_SECRET_ACCESS_KEY']
# Optional if you're using Amazon's STS
knife[:aws_session_token] = ENV['AWS_SESSION_TOKEN']

You also have the option of passing your AWS API Key/Secret into the individual knife subcommands using the -A (or --aws-access-key-id) -K (or --aws-secret-access-key) command options

# provision a new stack
$ knife cfn create test -f test.stack

If you are working with Amazon's command line tools, there is a good chance you already have a file with these keys somewhere in this format:

AWSAccessKeyId=Your AWS Access Key ID
AWSSecretKey=Your AWS Secret Access Key

The new config file format used by Amazon's command line tools is also supported:

aws_access_key_id = Your AWS Access Key ID
aws_secret_access_key = Your AWS Secret Access Key

In this case, you can point the aws_credential_file option to this file in your knife.rb file, like so:

knife[:aws_credential_file] = "/path/to/credentials/file/in/above/format"

If you have multiple profiles in your credentials file you can define which profile to use. The default profile will be used if not supplied,

knife[:aws_profile] = "personal"


This plugin provides the following Knife subcommands. Specific command options can be found by invoking the subcommand with a --help flag

knife cfn validate

Validates a template file of template URL.

knife cfn create

Create a cloud formation stack from a template file or Template URL.

knife cfn update

Update a cloud formation stack from a template file or Template URL.

knife cfn delete

Deletes a running cloud formation stack.

knife cfn describe [-l / --long ] [stack name]

Outputs the name, status, creation time and rollback status of a stack, or all stacks if stack name is omitted. The --long (-l) parameter shows stack IDs (ARN) instead of friendly names.

knife cfn events [ stack name ]

Outputs a list of events for a stack name.

knife cfn resources [ stack name ] [ logical resource id ]

Outputs the logical resource ID, physical resource ID, resource type and status for all resources of a stack. If logical resource id is specified, then only the details of that resource is shown. A logical resource ID is reference given to a resource in the cloudformation template, under the "Resources" section.

knife cfn outputs [ -o ] [ stack name ]

Outputs a list of outputs for a stack name. If -o option is specified, then output will be formatted in the same syntax as parameters for cfn create / update


Author:: Neill Turner ( Copyright:: Copyright (c) 2012 EC2Dream. License:: Apache License, Version 2.0

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Something went wrong with that request. Please try again.