Skip to content
Builds light stemcells for AWS from a "full" bosh stemcell
Go Shell Ruby Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Light Stemcell Builder for AWS

This tool takes a raw machine image and a configuration file and creates a collection of AMIs. Any AWS region including China is supported.

AWS Setup for Publishing

  1. Create an S3 bucket for intermediate artifacts (e.g. light-stemcells-for-project-XXX)
  2. Create an AWS IAM policy based on the JSON contained in builder-policy.json
  3. Replace the bucket placeholder in your policy with the bucket created in step 1
      "Resource": [
    -    "arn:aws:s3:::<disk-image-file-bucket>",
    -    "arn:aws:s3:::<disk-image-file-bucket>/*"
    +    "arn:aws:s3:::light-stemcells-for-project-XXX",
    +    "arn:aws:s3:::light-stemcells-for-project-XXX/*"
    Note: The arn for AWS GovCloud region is aws-us-gov. It looks like this: "arn:aws-us-gov:s3:::<disk-image-file-bucket>"
  4. Create an AWS IAM user and attach the policy created in steps 2, 3.
  5. Create the vmimport AWS role as detailed here, specifying the previously created bucket in place of <disk-image-file-bucket>; see example IAM policy.
  6. Replicate these steps in a separate AWS China account if publishing to China.

IAM User Setup for Integration Testing

  1. Follow steps in "AWS Setup for Publishing"
  2. Create an IAM policy based on the JSON contained in integration-test-policy.json
  3. Attach the policy you created in step 2 to the existing publishing user


Unit testing:

ginkgo -r --skipPackage driver,integration

Example Usage

Example config:

  "ami_configuration": {
    "description":          "Your description here",
    "virtualization_type":  "hvm",
    "visibility":           "public"
  "ami_regions": [
      "name":               "us-east-1",
      "credentials": {
        "access_key":       "US_ACCESS_KEY_ID",
        "secret_key":       "US_ACCESS_SECRET_KEY"
      "bucket_name":        "US_BUCKET_NAME",
      "destinations":       ["us-west-1", "us-west-2"]
      "name":               "cn-north-1",
      "credentials": {
        "access_key":       "CN_ACCESS_KEY_ID",
        "secret_key":       "CN_ACCESS_SECRET_KEY"
      "bucket_name":        "CN_BUCKET_NAME"


./light-stemcell-builder -c config.json --image root.img --manifest stemcell.MF > updated-stemcell.MF

Example Output:

name: bosh-aws-xen-hvm-ubuntu-trusty-go_agent
version: "3202"
bosh_protocol: "1"
sha1: f0c10bb5e8b7fee9c29db15bbb4ae481e398eab6
operating_system: ubuntu-trusty
- aws-light
    cn-north-1: ami-69ae6504
    us-east-1: ami-e62f158c
    us-west-1: ami-947e0df4
    us-west-2: ami-54328238


If the vmimport role is not present, you will receive this error from the light stemcell builder:

Error publishing AMIs to us-east-1: creating snapshot: creating import snapshot task: InvalidParameter: The sevice role does not exist or does not have sufficient permissions for the service to continue status code: 400, request id:

You can’t perform that action at this time.