Deploying BOSH on GCP

Page last updated:

This topic describes how to use the bosh-bootloader command-line tool to set up an environment for Cloud Foundry on Google Cloud Platform (GCP) and deploy a BOSH Director.


After completing this topic, you will have the following:

  1. A BOSH Director instance in the Availability Zone (AZ) of your choice
  2. A set of randomly generated BOSH Director credentials
  3. A generated key pair that allows you to SSH into the BOSH Director and any instances that BOSH deploys
  4. A copy of the manifest you use to deploy the BOSH Director

    Note: A manifest is a YAML file that defines the components and properties of a BOSH deployment.

  5. A basic cloud config

    Note: A cloud config is a YAML file that defines IaaS-specific configuration for BOSH.

  6. A set of load balancers

    Note: bosh-bootloader creates the load balancers, but you must still configure DNS to point your domains to the load balancers. See the Setting Up DNS for Your Environment topic for more information.

Step 1: Download Dependencies

Perform the following steps to download the required dependencies for bosh-bootloader:

  1. Download Terraform v0.9.1 or later. Unzip the file and move it to somewhere in your PATH:

    $ tar xvf ~/Downloads/terraform*
    $ sudo mv ~/Downloads/terraform /usr/local/bin/terraform

  2. Download the BOSH CLI v2. Make the binary executable and move it to somewhere in your PATH:

    $ chmod +x ~/Downloads/bosh-cli-*
    $ sudo mv ~/Downloads/bosh-cli-* /usr/local/bin/bosh

  3. Perform one of the following procedures to download and install bosh-bootloader:

    • On Mac OS X, use Homebrew:
      $ brew install cloudfoundry/tap/bbl
    • Download the latest bosh-bootloader from GitHub. Make the binary executable and move it to somewhere in your PATH:
      $ chmod +x ~/Downloads/bbl-*
      $ sudo mv ~/Downloads/bbl-* /usr/local/bin/bbl
  4. Download and install the gcloud CLI.

Step 2: Create an IAM Service Account

Perform the following steps to create the Identity and Access Management (IAM) service account that bosh-bootloader needs to interact with GCP:

  1. If you installed the gcloud CLI for the first time, initialize it:

    $ gcloud init

  2. Create the IAM service account for bosh-bootloader with the gcloud CLI:

    $ gcloud iam service-accounts create bbl-user --display-name "BBL"

  3. Navigate to the GCP Console and under Project info, retrieve your Project ID.

  4. Create keys for the service account, replacing YOUR-PROJECT-ID with the project ID you retrieved in the previous step:

    $ gcloud iam service-accounts keys create \
    --iam-account='' \
    This command outputs a bbl-user.key.json file. Store this file in a safe and secure place.

  5. Add the Editor role to the service account:

    $ gcloud projects add-iam-policy-binding YOUR-PROJECT-ID \
    --member='' \

Step 3: Create the Infrastructure and the BOSH Director

Run the following command to create the required infrastructure and deploy a BOSH Director:

bbl up \
  --iaas gcp \
  --gcp-service-account-key PATH-TO/bbl-user.key.json \
  --gcp-region YOUR-GCP-REGION

Replace the placeholders as follows:

  • PATH-TO is the path to the bbl-user.key.json file, created in the previous section.
  • YOUR-GCP-REGION is your GCP region, such as us-central1.

The bbl up command takes five to eight minutes to complete. When the process finishes, it outputs a state file, bbl-state.json, in the present working directory.

Note: The bbl-state.json file contains credentials and other metadata related to your BOSH Director and infrastructure. Back up this file and store it in a safe location, and never modify it manually.

To extract information from the bbl-state.json state file, use bosh-bootloader instead of opening the file. For example, to obtain your BOSH Director address, run the following command:

$ bbl director-address

Run bbl to see the full list of values from the state file that you can print. You must always run bbl from the directory that contains bbl-state.json.

Step 4: Create Load Balancers

To create your load balancers, run the following command:

$ bbl create-lbs --type cf --cert YOUR-CERT.crt --key YOUR-KEY.key --domain YOUR-SYSTEM-DOMAIN

Replace the placeholders as follows:

  • YOUR-CERT.crt and YOUR-KEY.key are the path to your Certificate Authority (CA) certificate and key. This enables SSL/TLS termination at your load balancer.
  • YOUR-SYSTEM-DOMAIN is the DNS domain name for your Cloud Foundry instance. Cloud Foundry uses this domain name when deploying apps. For example, if you select the name, Cloud Foundry deploys each of your apps as

For more information about the options for securing HTTP traffic into your Cloud Foundry (CF) deployment with SSL/TLS certificates, see the Securing Traffic into Cloud Foundry topic.

For test and development environments, you can also generate your own CA certificate and key with a tool such as certstrap.

Step 5: Update DNS Records

The create-lbs command creates an NS record in Google’s CloudDNS. You can view this record by navigating to the [GCP Console and selecting Networking > Cloud DNS.

The data associated with the record will have the following format:

From your domain registrar, delegate DNS authority for your hosted zone to the four CloudDNS name servers. To do this, replace your registrar’s NS records for the domain with the NS record values listed in CloudDNS.

After a few minutes, your system domain should resolve to your GCP load balancer.

Step 6: Connect to the BOSH Director

Perform the following steps to connect to the BOSH Director:

  1. Save the Certificate Authority (CA) certificate to a file and set the path as an environment variable:

    $ bbl director-ca-cert > bosh.crt
    $ export BOSH_CA_CERT=bosh.crt

  2. Set your BOSH Director address as an environment variable:

    $ export BOSH_ENVIRONMENT=$(bbl director-address)

  3. Obtain your BOSH Director username and password:

    $ bbl director-username
    $ bbl director-password

  4. Set your target and log in with the BOSH CLI:

    $ bosh alias-env YOUR-TARGET-NAME
    $ bosh log-in
    Replace YOUR-TARGET-NAME with a target name to associate with the BOSH Director address, such as my-bosh. You use this target name to log in to your BOSH Director in the future.

    Replace YOUR-DIRECTOR-USERNAME and YOUR-DIRECTOR-PASSWORD with the values you obtained from bbl in the previous step.

Destroy the BOSH Resources

You can use bbl destroy to delete the BOSH Director infrastructure in your GCP environment. Use this command if bbl up does not complete successfully and you want to reset your environment, or if you want to destroy the resources created by bosh-bootloader for any other reason.

To destroy your BOSH resources, run the following command:

$ bbl destroy

Create a pull request or raise an issue on the source for this page in GitHub