Deploying BOSH on AWS

Page last updated:

This topic describes how to use the bosh-bootloader command-line tool to set up an environment for Cloud Foundry on Amazon Web Services (AWS) and deploy a BOSH Director.


After completing this topic, you will have the following:

  1. A BOSH Director instance

  2. A bastion instance

  3. A set of randomly generated BOSH Director credentials

  4. A generated key pair that allows you to SSH into the BOSH Director and any instances that BOSH deploys

  5. A copy of the manifest used to deploy the BOSH Director

    Note: A manifest is a YAML file that defines the components and properties of a BOSH deployment.

  6. A basic cloud config

    Note: A cloud config is a YAML file that defines IaaS-specific configuration for BOSH.

  7. A set of Elastic Load Balancers (ELBs)

    Note: bosh-bootloader creates the ELBs, but you must still configure DNS to point your domains to the ELBs. See the Setting Up DNS for Your Environment topic for more information.

Step 1: Prepare a Domain

Perform the following steps to prepare a domain for Cloud Foundry:

  1. Select a DNS domain name for your Cloud Foundry instance. Cloud Foundry uses this domain name when deploying apps. For example, if you select the name, Cloud Foundry deploys each of your apps as

  2. From the AWS Route 53 dashboard, click Hosted zones.

  3. Click Create Hosted Zone.

  4. Under Domain Name, enter the domain name you selected above, for AWS to host.

  5. Under Type, choose Public Hosted Zone. This creates four name server (NS) records for your hosted zone.

  6. From your domain registrar, delegate DNS authority for your hosted zone to your four Amazon Route 53 name servers. To do this, replace your registrar’s NS records for the domain with the NS record values you created in the last step.

    Note: You can also find your NS record values by selecting your domain under the Hosted zones tab.


Step 2: Download Dependencies

Perform the following steps to download the required dependencies for bosh-bootloader:

  1. Download Terraform v0.9.1 or later. Unzip the file and move it to somewhere in your PATH:

    $ tar xvf ~/Downloads/terraform*
    $ sudo mv ~/Downloads/terraform /usr/local/bin/terraform

  2. Download BOSH CLI v2+. Make the binary executable and move it to somewhere in your PATH:

    $ chmod +x ~/Downloads/bosh-cli-*
    $ sudo mv ~/Downloads/bosh-cli-* /usr/local/bin/bosh

  3. Perform one of the following procedures to download and install bosh-bootloader:

    • On Mac OS X, use Homebrew:
      $ brew install cloudfoundry/tap/bbl
    • Download the latest bosh-bootloader from GitHub. Make the binary executable and move it to somewhere in your PATH:
      $ chmod +x ~/Downloads/bbl-*
      $ sudo mv ~/Downloads/bbl-* /usr/local/bin/bbl
  4. Install the AWS CLI.

Step 3: Create an IAM User

Perform the following steps to create the Identity and Access Management (IAM) user that bosh-bootloader needs to interact with AWS:

  1. Configure the AWS CLI with the information and credentials from your AWS account:

    $ aws configure
    AWS Access Key ID [None]: YOUR-AWS-ACCESS-KEY-ID
    AWS Secret Access Key [None]: YOUR-AWS-SECRET-ACCESS-KEY
    Default region name [None]: YOUR-AWS-REGION
    Default output format [None]: json
    For more information about retrieving your credentials, see Configuring the AWS CLI in the AWS documentation.

  2. Create the IAM user for bosh-bootloader with the AWS CLI:

    $ aws iam create-user --user-name "bbl-user"

  3. Copy the following policy text to your clipboard:

        "Version": "2012-10-17",
        "Statement": [
                "Effect": "Allow",
                "Action": [
                "Resource": [
  4. Apply the policy:

    $ aws iam put-user-policy --user-name "bbl-user" \
    --policy-name "bbl-policy" \
    --policy-document "$(pbpaste)"

  5. Create an access key:

    $ aws iam create-access-key --user-name "bbl-user"

    This command outputs an Access Key ID and a Secret Access Key. Record these values and store them in a secure place. You use them in the next section.

Step 4: Create Infrastructure, Bastion, BOSH Director, and Load Balancers

Run the following command to create the required infrastructure and deploy a BOSH Director:

$ bbl plan \
    --iaas aws \
    --aws-access-key-id YOUR-ACCESS-KEY-ID \
    --aws-secret-access-key YOUR-SECRET-ACCESS-KEY \
    --aws-region YOUR-AWS-REGION \
    --lb-type cf \
    --lb-cert YOUR-CERT.crt \
    --lb-key YOUR-KEY.key \
    --lb-domain YOUR-SYSTEM-DOMAIN
$ bbl up

Replace the placeholders as follows:

  • YOUR-ACCESS-KEY-ID and YOUR-SECRET-ACCESS-KEY: The credentials for the bbl-user you created in the previous section
  • YOUR-AWS-REGION: Your AWS region, such as us-west-2

The bbl up command takes five to eight minutes to complete.

When bbl plan or bbl up is run, files in the --state-dir (or present working directory) will be created, modified, or deleted.

Note: The bbl state directory contains credentials and other metadata related to your BOSH Director and infrastructure. Back up this directory and store it in a safe location.

To extract information from the bbl state, use bbl. For example, to obtain your BOSH Director address, run the following command:

$ bbl director-address

Run bbl to see the full list of values from the state file that you can print. You must always run bbl from the state directory.

For more information about the options for securing HTTP traffic into your Cloud Foundry (CF) deployment with SSL/TLS certificates, see the Securing Traffic into Cloud Foundry topic.

For test and development environments, you can also generate your own CA certificate and key with a tool such as certstrap.

Step 5: Connect to the BOSH Director

Run the following to connect to the BOSH Director:

$ eval "$(bbl print-env)"

Destroy the BOSH Resources

You can use bbl destroy to delete the BOSH Director infrastructure in your AWS environment. Use this command if bbl up does not complete successfully and you want to reset your environment, or if you want to destroy the resources created by bosh-bootloader for any other reason.

To delete load balancers only:

$ bbl plan
$ bbl up

To delete the infrastructure, bastion, director, and load balancers:

$ bbl destroy
Create a pull request or raise an issue on the source for this page in GitHub