Announcing the LocalStack 4.4 Release
LocalStack 4.4 is now available! This release brings a new Amazon Verified Permissions provider, a LocalStack-native RDS provider, a container-based Glue job executor, and many other enhancements across services, such as Step Functions, IAM, KMS, EMR Serverless, CloudFront Lambda@Edge, and Application Auto Scaling.

Introduction
LocalStack 4.4 is here, bringing a host of powerful new features and significant enhancements to your local AWS cloud development experience! This release introduces our new Amazon Verified Permissions (AVP) provider, allowing you to define and test fine-grained authorization for your custom applications locally. We’re also rolling out a new, LocalStack-native RDS provider for improved reliability and AWS parity, alongside a container-based Glue job executor that mirrors production environments more closely.
Beyond these major additions, LocalStack 4.4 also delivers major enhancements across numerous services, such as support for mocking service integrations in Step Functions, expanded IAM features like the new service-specific credential APIs and condition keys, plus notable updates to KMS, EMR Serverless, CloudFront Lambda@Edge, and Application Auto Scaling.
Get your free LocalStack account to access the latest features and enhancements in LocalStack 4.4!
How to upgrade?
To upgrade to LocalStack 4.4 using the LocalStack CLI, run the following command to update both the LocalStack Docker image and CLI to the latest version:
localstack update all
If using LocalStack with Docker CLI or Docker Compose, update the Docker image by running:
docker pull localstack/localstack:4.4.0 # Community Editiondocker pull localstack/localstack-pro:4.4.0 # Pro Edition
Pin the LocalStack version in your docker run
command or Docker Compose file to 4.4.0
.
What’s new in LocalStack 4.4?
- New Amazon Verified Permissions (AVP) provider
- Support for mocking service integrations with Step Functions
- New LocalStack-native RDS provider
- New container-based Glue job executor
- New IAM service-specific credential APIs
- New condition keys for IAM enforcement
- New enhancements in the KMS provider
- New enhancements in the EMR Serverless provider
- New enhancements in the CloudFront Lambda@Edge feature
- New enhancements in the Application Auto Scaling provider
- New cluster deployment configuration for MSF provider
- Miscellaneous
New Amazon Verified Permissions (AVP) provider
LocalStack now supports Amazon Verified Permissions (AVP), a service for managing fine-grained permissions and authorization in custom applications. This feature lets you move authorization logic outside the app, define access rules using the Cedar policy language, and test them locally.
With LocalStack’s AVP provider, you can test authorization logic and integrate with services like Cognito. Supported APIs are listed on the API coverage page.
Current limitations include:
- No schema validation when using
PutSchema
, and no policy validation based on the schema when creating policies or template policies. - Only Cognito is supported as
IdentitySource
; external OIDC providers are not supported. - Identity source validation and JWT checks are incomplete:
jwks.json
endpoints, issuer, signature, and expiration are not validated.
Learn more about LocalStack’s AVP provider in our documentation.
Support for mocking service integrations with Step Functions
LocalStack can now be used as a replacement for AWS Step Functions Local testing with mocked service integrations. It supports tests with mocked task states and works with existing Step Functions Local setups. LocalStack also includes support for new Step Functions features like JSONata and Variables, and allows both mocked and emulated service integrations.
Set the SFN_MOCK_CONFIG
environment variable to the path of the mock config file, mounted in the LocalStack container, that defines mock service integrations.
Learn more about mocking service integrations in the LocalStack documentation.
New LocalStack-native RDS provider
We’ve introduced a native RDS provider in LocalStack and made it the default. This replaces Moto-based CRUD operations with a more reliable setup. The new RDS provider has replaced previous Moto-based CRUD operations to align parity and behavior more closely with AWS.
Key updates include enhanced support for Parameter Groups, instance lifecycle operations (create, modify, start, stop, reboot), subnet and security group support, event subscriptions, option groups, snapshots, IAM authentication, proxy support, persistent storage, Neptune instance compatibility, and global tagging across all resources.
RDS state created in version 4.3 or earlier using Cloud Pods or standard persistence will not be compatible with the new provider introduced in version 4.4. Recreating the RDS state is recommended for compatibility.
Learn more about RDS in the LocalStack documentation.
New container-based Glue job executor
LocalStack now includes a container-based Glue job executor that runs Glue jobs inside a Docker environment. Previously, it used a pre-packaged binary with Spark and required components. The new executor uses the aws-glue-libs
Docker image, providing better production parity, faster startup, and more reliable execution.
It supports:
- Running Glue jobs in Docker containers
- Isolated execution environments for each job
- Running multiple jobs in parallel
- Correct versioning for Spark, Hadoop, Python, Java, and related libraries
- Improved startup time and offline execution
To use it, set GLUE_JOB_EXECUTOR=docker
and GLUE_JOB_EXECUTOR_PROVIDER=v2
in your LocalStack configuration. This executor deprecates older Glue versions (0.9
, 1.0
, 2.0
).
Learn more about Glue in LocalStack documentation.
New IAM service-specific credential APIs
IAM service-specific credential APIs have now been implemented in LocalStack. These APIs allow the creation and management of service-specific credentials for IAM users. LocalStack supports only CRUD (Create, Read, Update, Delete) operations for these credentials.
The newly supported APIs are:
CreateServiceSpecificCredential
ListServiceSpecificCredentials
UpdateServiceSpecificCredential
ResetServiceSpecificCredential
DeleteServiceSpecificCredential
Learn more about IAM in the LocalStack documentation.
New condition keys for IAM enforcement
LocalStack has added support for several new IAM condition keys to emulate fine-grained access control policies. IAM condition keys are used within policy statements to impose specific conditions under which permissions are granted or denied.
The newly supported condition keys in LocalStack include:
iam:PermissionBoundary
aws:RequestTag
aws:TagKeys
sts:ExternalId
iam:AWSServiceName
aws:PrincipalIsAWSService
aws:PrincipalServiceName
aws:username
These additions enable more precise testing of IAM policies that rely on these condition keys.
New enhancements in the KMS provider
LocalStack’s KMS provider now includes the following enhancements:
- Enables
custom_key_material
usage for Elliptic Curve Cryptography (ECC) keys in the KMS service. - Adds the ability to decrypt data encrypted before a key rotation event by preserving the history of key material during RotateKeyOnDemand, maintaining access to all rotated KMS keys.
- Improves KMS PSS signature generation by aligning salt length with RFC 4055, increasing compatibility with external cryptographic libraries.
- Adds support for the
dry_run
parameter in theGenerateDataKeyPair
andGenerateDataKeyPairWithoutPlaintext
APIs.
New enhancements in the EMR Serverless provider
LocalStack’s EMR Serverless provider now includes the following enhancements:
- EMR Serverless jobs now accept program arguments when running scripts, allowing the reuse of functionality and parameterized execution.
- Logs from EMR Serverless jobs are now sent to CloudWatch for better visibility into job execution and easier debugging of failures.
New enhancements in the CloudFront Lambda@Edge feature
LocalStack’s CloudFront Lambda@Edge feature now includes the following enhancements:
- Added support for the
IncludeBody
parameter. - Added validations for supported Python and Node.js runtimes.
New enhancements in the Application Auto Scaling provider
LocalStack’s Application Auto Scaling provider now features support for tagging and untagging resources. This allows you to manage tags on your Application Auto Scaling resources, enabling better organization and management of your resources. The following APIs are now supported:
New cluster deployment configuration for MSF provider
Managed Service for Apache Flink cluster deployment on LocalStack now consists of two separate containers for JobManager and TaskManager. This configuration better emulates the distributed nature of Flink and how it behaves on AWS. Previously, both managers were run inside a single container with a shared filesystem.
Miscellaneous
- Support for IAM transitive session tagging is now available. Tags marked as transitive on IAM sessions now propagate correctly and can be used for IAM policy enforcement.
- Improvements to AppSync VTL template
$utils
helpers now include better support for$util.error
and added support for$util.appendError
. - Support for record filtering for MSK & Self-Managed Kafka Event Source Mappings.
- Ruby 3.4 Lambda runtime is now supported in LocalStack.
- Replication support for
AWS::Route53::HostedZone
is now available for the AWS Replicator tool. - Support for
ListStateMachineAliases
pagination is now available in Step Functions. This includes handling of the--next-token
and--max-results
parameters to paginate results when listing aliases for a state machine. - Implemented automatic registration of ECS tasks with AWS Cloud Map service discovery. Container IP addresses are now correctly registered in the service registry, enabling accurate service discovery and proper task-to-task communication.
- Support for SES email confirmation from user pools is now available. User pools can now send confirmation emails to new users via SES automatically upon user creation.
- Enhanced
DeleteRepository
operation in ECR to correctly honor the--force
flag. When--force
is specified, repositories containing images can now be deleted without requiring individual image deletion. - Enhanced
CreateComputeEnvironment
API in AWS Batch to automatically create anAWSBatchServiceRole
if none is provided. This improves parity with AWS by matching the default behavior where the role is auto-created if not explicitly specified. - Enhanced domain name handling to properly normalize escaped character sequences in DNS names. This improves AWS parity by ensuring that all Route 53 encoded domain names are correctly processed before being passed to the DNS server.
- Enhanced the OAuth2 authorization flow to generate unique
state
andcode
values for each login attempt. This improves CSRF protection for existing users and ensures compliance with OAuth2 specifications. - Deleting a FIFO message with an expired receipt handle now raises an error to achieve better parity with AWS.
- Added X-Ray trace ID propagation from EventBridge to target services (Lambda and API Gateway), enabling end-to-end request tracing. This also ensures compatibility with existing trace header encoding.
- The
--profile
flag can now be used anywhere in the CLI command, not just at the top level, improving compatibility with custom tooling. - Implemented support for
USER_AUTH
authentication flow type in Cognito, enablingSMS_OTP
,PASSWORD
, andPASSWORD_SRP
challenge handling to match AWS behavior.
Conclusion
LocalStack 4.4 marks another significant step forward in our mission to provide a high-fidelity local AWS environment. The introduction of the Amazon Verified Permissions provider, the revamped native RDS implementation, and the new containerized Glue job executor are key highlights that offer developers more power and parity with AWS services. Coupled with the broad array of enhancements, this release empowers you to build and test your cloud applications with even greater confidence and efficiency.
We’re committed to continuously bridging the gap between local development and the cloud, and these updates reflect that dedication. Upgrade to LocalStack 4.4 today to leverage these new capabilities and accelerate your cloud development lifecycle!