TKG 1.4 on AWS – Part 1: Prepare the resources

Reading Time: 5 mins


This post explains how to prepare Amazon EC2 environment for running Tanzu Kubernetes Grid. Before you can use the Tanzu CLI or installer interface to deploy a management cluster, you must prepare the bootstrap machine (can be your local workstation or any vm that has internet access) on which you run the Tanzu CLI and set up your Amazon Web Services Account (AWS). In this demo, we will be using ubuntu deployed as EC2 in AWS.

Note: Refer to official doc for more details.

Deploy a vm for bootstrap

  • In AWS console, navigate to AWS services >  EC2
  • Click on launch instance
  • Search for Ubuntu AMI (Amazon Machine Image)

  • Select an Instance type, In this case I have used t2.xlarge ( not a Free tier eligible )

  • Select the default vpc and click on Add Storage
  • Change the size to 40 GB and click on Add Tags
  • Add tag – Name : Jumpbox-aws , click on Configure Security group
  • Create a new security group, provide Name and Description > Allow ports 22 and 8080 as shown below

  • Review and Launch > Launch
  • In key pair section : Create a new key pair > Provide a name and Download Key pair > Launch Instances
  • It should take few mins to launch, post that collect the public ip and connect to jumpbox vm using below command.
access jumpbox
# Navigate to the Directory where the pem file is downloaded (I have given the commands to access from a mac machine)

$ ssh -i jumpbox-aws.pem ubuntu@
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-1022-aws x86_64)
Last login: Thu Dec 16 04:34:27 2021 from
ubuntu@ip-172-31-37-5:~$ sudo -i

Install Docker

  • Refer to docker page for detailed steps.

Install Tanzu bundle and Kubectl

  • Download the VMware Tanzu CLI 1.4.0 CLI from myvmware using your my vmware credentials and navigate to Tanzu Kubernetes Grid Downloads page
  • In the select version drop-down, select 1.4.0. or latest (if available)
  • Under Product Downloads, scroll to the section labeled VMware Tanzu CLI 1.4.0 CLI > Download Now
  • In the same page, scroll down to Kubectl 1.21.2 > Download Now
  • On your system, create a new directory named tanzu. If you previously unpacked artifacts for previous releases to this folder, delete the folder’s existing contents.
  • Copy the downloaded CLI files into tanzu directory
  • In tanzu folder, unpack the bundle Tanzu CLI and kubectl bundle files for your operating system using tar -xvf command
  • Navigate to the tanzu/cli folder that you unpacked in the previous section.
  • Make the CLI available to the system by installing the binary to /usr/local/bin:
    Tanzu CLI Install
    $ tar -xvf tanzu-cli-bundle-linux-amd64.tar

    $ sudo install core/v1.4.0/tanzu-core-darwin_amd64 /usr/local/bin/tanzu

    # At the command line, run tanzu version to check that the correct version of the CLI is properly installed.

    $ tanzu version
    version: v1.4.0
    buildDate: 2021-08-30
    sha: c9929b8f

    # After you have installed the tanzu core executable, you must install the CLI plugins

    # Navigate to the tanzu folder that contains the cli folder.

    $ tanzu plugin install --local cli all
    $ tanzu plugin list
    alpha v1.4.0 Alpha CLI commands core not installed
    cluster v1.4.0 Kubernetes cluster operations core v1.4.0 installed
    kubernetes-release v1.4.0 Kubernetes release operations core v1.4.0 installed
    login v1.4.0 Login to the platform core v1.4.0 installed
    management-cluster v1.4.0 Kubernetes management cluster operations core v1.4.0 installed
    package v1.4.0 Tanzu package management core v1.4.0 installed
    pinniped-auth v1.4.0 Pinniped authentication operations (usually not directly invoked) core v1.4.0 installed

Install Kubectl: 

  • Navigate to the kubectl binary that you unpacked earlier into tanzu directory
  • Make the CLI available to the system by installing the binary to /usr/local/bin
Install Kubectl
#unpack the kubectl bundle
$ gunzip kubectl-linux-v1.21.2+vmware.1.gz

#Make the file executable
$ chmod +x kubectl-linux-v1.21.2+vmware.1

#Rename the bundle to kubectl
$ mv kubectl-linux-v1.21.2+vmware.1 kubectl

#Install kubectl
$ sudo install kubectl /usr/local/bin/kubectl

#verify the version
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.2+vmware.1", GitCommit:"54e7e68e30dd3f9f7bb4f814c9d112f54f0fb273", GitTreeState:"clean", BuildDate:"2021-06-28T22:17:36Z", GoVersion:"go1.16.5", Compiler:"gc", Platform:"linux/amd64"}

Install Carvel Tools: 

Carvel provides a set of reliable, single-purpose, composable tools that aid in application building, configuration, and deployment to Kubernetes.

  • ytt – a command-line tool for templating and patching YAML files. You can also use ytt to collect fragments and piles of YAML into modular chunks for easy re-use.
  • kapp – the applications deployment CLI for Kubernetes. It allows you to install, upgrade, and delete multiple Kubernetes resources as one application.
  • kbld – an image-building and resolution tool.
  • imgpkg – a tool that enables Kubernetes to store configurations and the associated container images as OCI images, and to transfer these images.
ytt install
# Navigate to cli directory
#Unpack the ytt binary and make it executable.
gunzip ytt-darwin-amd64-v0.34.0+vmware.1.gz
chmod ugo+x ytt-darwin-amd64-v0.34.0+vmware.1

#Move the binary to /usr/local/bin and rename it to ytt:

mv ./ytt-darwin-amd64-v0.34.0+vmware.1 /usr/local/bin/ytt

# At the command line in a new terminal, run ytt version to check that the correct version of ytt is properly installed.

kapp install
#Unpack the kapp binary and make it executable.

gunzip kapp-darwin-amd64-v0.37.0+vmware.1.gz
chmod ugo+x kapp-darwin-amd64-v0.37.0+vmware.1

#Move the binary to /usr/local/bin and rename it to kapp:

mv ./kapp-darwin-amd64-v0.37.0+vmware.1 /usr/local/bin/kapp

# At the command line, run kapp version to check that the correct version of kapp is properly installed.
kbld install
# Unpack the kbld binary and make it executable.

gunzip kbld-darwin-amd64-v0.30.0+vmware.1.gz
chmod ugo+x kbld-darwin-amd64-v0.30.0+vmware.1

# Move the binary to /usr/local/bin and rename it to kbld:

mv ./kbld-darwin-amd64-v0.30.0+vmware.1 /usr/local/bin/kbld

# At the command line, run kbld version to check that the correct version of kbld is properly installed.
imgpkg install
#Unpack the imgpkg binary and make it executable.

gunzip imgpkg-darwin-amd64-v0.10.0+vmware.1.gz
chmod ugo+x imgpkg-darwin-amd64-v0.10.0+vmware.1

# Move the binary to /usr/local/bin and rename it to imgpkg:

mv ./imgpkg-darwin-amd64-v0.10.0+vmware.1 /usr/local/bin/imgpkg

# At the command line, run imgpkg version to check that the correct version of imgpkg is properly installed.

Install AWS CLI, jq

# Install Jq:

$ sudo apt-get install jq

# Install AWS CLI :

$ sudo apt-get update

$ curl "" -o ""
$ apt install unzip
$ unzip
$ sudo ./aws/install
$ aws --version
aws-cli/2.4.6 Python/3.8.8 Linux/5.11.0-1022-aws exe/x86_64.ubuntu.20 prompt/off

Permissions and access to AWS accounts

Configure AWS Credentials

  • You should have the access key ID and access key secret from an active AWS account. refer aws doc to get required access key ID and secret.
configure AWS credentials
# Run below commands in jumpbox with appropriate values you collected from AWS account. 

export AWS_ACCESS_KEY_ID= <Access key ID>
export AWS_SECRET_ACCESS_KEY=<Access Key>
export AWS_SESSION_TOKEN=<session Token>

# Create a profile
aws configure --profile tkg-profile
AWS Access Key ID [None]: <Access Key ID>
AWS Secret Access Key [None]: <Access Key>
Default region name [None]: <Region name>
Default output format [None]:

SSH Key Pair

  • Create SSH key pair in your AWS Account, can be done through UI or AWS CLI
key pair
# Here. is the command to create key pair through aws cli. This automatically creates a .pem file in the same directory where the command is run. 

aws ec2 create-key-pair --key-name tkg-demo-2 --region ap-south-1 --output json | jq .KeyMaterial -r > tkg-demo-2.pem

# If you would like to create key pair though AWS console then follow below steps:
  • In AWS Console, navigate to AWS services > EC2 >Network & Security > Key pairs > Create Key pair > Give Name > Create Key pair 
  • Automatically downloads a .pem file into your machine, can be used later.


Tag Resources: (Optional)

Note: This step is required only if you are using existing vpc to deploy the management cluster and if you are creating services of type LoadBalancer in management cluster. In our case, I have allowed TKG to create new vpc during the creation of management cluster, which you will see in next post.


$ aws ec2 create-tags --resources <subnet id-1> <subnet id-2> <subnet id 3> --tags<mgmt cluster name>,Value=shared

Required Permissions for AWS Account

  • Refer to doc to know the required IAM resources and permissions to create management cluster in AWS account.

We are now set to create management cluster.