CFN helper scripts  are used to retrieve and interpret resource metadata, install packages, create files, and start services. It is commonly used in user-data scripts.

In order to use cfn helper scripts in Elastigroup user-data, you will need to specify credentials by using an IAM role that is allowed to access Cloud Formation stack resources.

Read more about using CFN helper scripts in AWS docs


How to use CFN Helper scripts in Elastigroup User-Data
Step 1 – Create a new IAM Policy
1. Login to your AWS console and navigate to the IAM management console:

2. Click on Policies from the side menu, and then “Create Policy”:

3. Switch to JSON view and add this snippet to the policy:


   "Version": "2012-10-17",

   "Statement": [


           "Effect": "Allow",

           "Action": [




           "Resource": "*"




4. Click review, give the policy a name and create the policy:


Step 2 – Attach the IAM Policy to your IAM Role
1. Under Roles from the side menu, locate the IAM role used by your elastigroup and click on it:

2. Search your newly created policy, and click Attach Policy:

Note: Beanstalk Elastigroups do not need to modify their user-data. 


Step 3 – Modify your elastigroup user-data (Non-Beanstalk Elastigroups)

Modify your user-data to invoke CFN helper scripts using the role name. Note: If your Instance profile name is different than the role name attached to it, use the role name in the user-data script. 


For example, for a cfn-init call add the role: 

/opt/aws/bin/cfn-init -v --stack <cfn-stack-id> --resource <logical-resource> --role <my-role>


Windows user-data:

C:\Program Files\Amazon\cfn-bootstrap\cfn-init.exe --stack <cfn-stack-id> --resource <logical-resource> --role <my-role>