Deploy OpenClaw on AWS Lightsail without manual headaches

This article is an English adaptation of the original Spanish post:
Desplegar OpenClaw en AWS Lightsail sin sufrir 😎

If you want to deploy OpenClaw on AWS Lightsail in a simple, repeatable way without fighting through manual steps every time, a great option is to use AWS CDK + Python + uv.

In this tutorial, I’ll show you how to provision the required infrastructure using Infrastructure as Code.

🦀 OpenClaw + AWS Lightsail + IaC

Why automate this?

Doing it manually once is fine.

Doing it manually again and again? Not so fun.

With Infrastructure as Code, you get:

• Fewer manual errors
• Consistent deployments
• Fully repeatable environments
• Faster setup for your team
• Everything versioned in Git

The goal is not just to create a Lightsail instance. The goal is to have a deployment process that you can reproduce, destroy, improve, and run again whenever needed.

What does this stack create?

This project provisions an OpenClaw environment on AWS Lightsail, including:

• An OpenClaw Lightsail instance: openclaw_ls_1_0
• Public ports: 22, 80, and 443
• A static public Lightsail IP
• Optional snapshots
• IAM role automation for Amazon Bedrock
• Automatic association and disassociation of the static public IP during the stack lifecycle

Quick prerequisites

Before starting, make sure you have the following installed:

• Python 3.11+
• uv, for Python package and project management
• Node.js 22 LTS
• AWS CLI v2
• AWS CDK CLI

You can install the AWS CDK CLI globally with:

npm i -g aws-cdk

0. Clone the repository

Clone the project repository: aws-cdk-lightsail-openclaw

git clone https://github.com/r3xakead0/aws-cdk-lightsail-openclaw.git
cd aws-cdk-lightsail-openclaw

1. Prepare your local environment

Before synthesizing or deploying the stack, prepare your local environment by installing the project dependencies and validating that your AWS credentials are configured correctly.

Check installed versions

python --version
uv --version
node --version
aws --version
cdk --version

Make sure you have:

• Python 3.11+
• uv installed
• Node.js 22 LTS
• AWS CLI v2
• AWS CDK CLI

Install project dependencies

From the root of the repository, run:

uv sync

Configure your AWS credentials

If you do not have AWS credentials configured yet, run:

aws configure

You will need to provide:

• AWS Access Key ID
• AWS Secret Access Key
• Default region, for example us-east-1
• Default output format, for example json

If you use AWS profiles, export the profile before continuing.

For macOS/Linux:

export AWS_PROFILE=<TU_PROFILE>

For Windows PowerShell:

$env:AWS_PROFILE="<TU_PROFILE>"

Validate AWS access

Run:

aws sts get-caller-identity

You should see an output similar to:

{
  "UserId": "...",
  "Account": "123456789012",
  "Arn": "arn:aws:iam::X234X67X901X:user/your-user"
}

2. Review the configuration file

Open the following file:

config/dev.json

Validate the main fields:

• account
• region, for example us-east-1
• availability_zone, for example us-east-1a
• key_pair_name, for example openclaw-dev-key
• ssh_cidr
• enable_auto_snapshot, which is false by default

This file defines the environment-specific configuration for your deployment.

3. Create or import the Lightsail key pair

This part is important: the key pair must be a Lightsail key pair, not an EC2 key pair.

It also needs to exist in the same region defined in your configuration file.

macOS/Linux

Generate the key:

ssh-keygen -t rsa -b 4096 -m PEM -f ~/.ssh/openclaw-dev-key -C "openclaw-lightsail"
chmod 600 ~/.ssh/openclaw-dev-key
chmod 644 ~/.ssh/openclaw-dev-key.pub

Import it into Lightsail:

aws lightsail import-key-pair \
  --key-pair-name openclaw-dev-key \
  --public-key-base64 "$(cat ~/.ssh/openclaw-dev-key.pub)" \
  --region us-east-1

Validate that the key pair exists:

aws lightsail get-key-pairs \
  --region us-east-1 \
  --query "keyPairs[?name=='openclaw-dev-key'].name" \
  --output table

Windows PowerShell

Generate the key:

ssh-keygen -t rsa -b 4096 -m PEM -f "$HOME\.ssh\openclaw-dev-key" -C "openclaw-lightsail"

Import it into Lightsail:

$pub = Get-Content "$HOME\.ssh\openclaw-dev-key.pub" -Raw
aws lightsail import-key-pair `
  --key-pair-name openclaw-dev-key `
  --public-key-base64 $pub `
  --region us-east-1

Validate it:

aws lightsail get-key-pairs --region us-east-1 --query "keyPairs[?name=='openclaw-dev-key'].name" --output table

4. Bootstrap CDK

You only need to bootstrap once per AWS account and region.

Linux/macOS

./scripts/linux-mac/dev/bootstrap <ACCOUNT_ID> <REGION>

Windows PowerShell

.\scripts\windows\dev\bootstrap.ps1 -AccountId <ACCOUNT_ID> -Region <REGION>

5. Run synth and diff

Before deploying, it is a good idea to synthesize the CloudFormation template and review the changes.

Linux/macOS

./scripts/linux-mac/dev/synth
./scripts/linux-mac/dev/diff

Windows PowerShell

.\scripts\windows\dev\synth.ps1
.\scripts\windows\dev\diff.ps1

The diff step helps you review what CDK is going to create, update, or remove before applying the deployment.

6. Deploy

Now deploy the stack.

Linux/macOS

./scripts/linux-mac/dev/deploy

Windows PowerShell

.\scripts\windows\dev\deploy.ps1

When the deployment finishes, you should see outputs such as:

• InstanceName
• StaticIpName
• PublicIp
• BedrockRoleArn

7. Verify that everything is running

Connect to the instance using SSH.

Linux/macOS

ssh -i ~/.ssh/openclaw-dev-key ubuntu@<PUBLIC_IP>

Windows PowerShell

ssh -i "$HOME\.ssh\openclaw-dev-key" ubuntu@<PUBLIC_IP>

Then run a quick check:

• Open http://<PUBLIC_IP> in your browser
• Verify the instance in the Lightsail console
• Confirm that the Bedrock IAM role exists

At this point, your OpenClaw deployment should be up and running on AWS Lightsail.

8. Destroy the stack when you are done

If this is just a test environment, do not forget to destroy the resources when you finish to avoid unnecessary costs.

Linux/macOS

./scripts/linux-mac/dev/destroy

Windows PowerShell

.\scripts\windows\dev\destroy.ps1

Troubleshooting

The KeyPair does not exist

This usually means one of the following:

• The key pair was not created or imported into Lightsail
• The key pair exists in another region
• The key pair is an EC2 key pair instead of a Lightsail key pair

To fix it, create or import the key pair in Lightsail and make sure it is in the correct AWS region.

Stack stuck in ROLLBACK_COMPLETE

If the stack failed and ended in ROLLBACK_COMPLETE, delete the failed stack and deploy again.

CDK Node.js warning

If CDK shows a warning related to Node.js, make sure you are using Node.js 22 LTS.

If you use nvm, run:

nvm use

Final thoughts

The main idea behind this project is not only to deploy an instance.

The real value is having a repeatable deployment process that does not depend on lost notes, forgotten manual steps, or one-time console configurations.

With AWS CDK, Python, uv, and Lightsail, you can keep the setup simple while still applying Infrastructure as Code practices from the beginning.

This makes the deployment easier to reproduce, easier to destroy, and easier to improve over time.