Announcing the LocalStack 4.4 Release

Introduction

LocalStack 4.4 is here, bringing a host of powerful new features and significant enhancements to your local AWS cloud development experience! This release introduces our new Amazon Verified Permissions (AVP) provider, allowing you to define and test fine-grained authorization for your custom applications locally. We’re also rolling out a new, LocalStack-native RDS provider for improved reliability and AWS parity, alongside a container-based Glue job executor that mirrors production environments more closely.

Beyond these major additions, LocalStack 4.4 also delivers major enhancements across numerous services, such as support for mocking service integrations in Step Functions, expanded IAM features like the new service-specific credential APIs and condition keys, plus notable updates to KMS, EMR Serverless, CloudFront Lambda@Edge, and Application Auto Scaling.

Get your free LocalStack account to access the latest features and enhancements in LocalStack 4.4!

How to upgrade?

To upgrade to LocalStack 4.4 using the LocalStack CLI, run the following command to update both the LocalStack Docker image and CLI to the latest version:

localstack update all

If using LocalStack with Docker CLI or Docker Compose, update the Docker image by running:

docker pull localstack/localstack:4.4.0 # Community Edition
docker pull localstack/localstack-pro:4.4.0 # Pro Edition

Pin the LocalStack version in your docker run command or Docker Compose file to 4.4.0.

What’s new in LocalStack 4.4?

New Amazon Verified Permissions (AVP) provider
Support for mocking service integrations with Step Functions
New LocalStack-native RDS provider
New container-based Glue job executor
New IAM service-specific credential APIs
New condition keys for IAM enforcement
New enhancements in the KMS provider
New enhancements in the EMR Serverless provider
New enhancements in the CloudFront Lambda@Edge feature
New enhancements in the Application Auto Scaling provider
New cluster deployment configuration for MSF provider
Miscellaneous

New Amazon Verified Permissions (AVP) provider

LocalStack now supports Amazon Verified Permissions (AVP), a service for managing fine-grained permissions and authorization in custom applications. This feature lets you move authorization logic outside the app, define access rules using the Cedar policy language, and test them locally.

With LocalStack’s AVP provider, you can test authorization logic and integrate with services like Cognito. Supported APIs are listed on the API coverage page.

Current limitations include:

No schema validation when using PutSchema, and no policy validation based on the schema when creating policies or template policies.
Only Cognito is supported as IdentitySource; external OIDC providers are not supported.
Identity source validation and JWT checks are incomplete: jwks.json endpoints, issuer, signature, and expiration are not validated.

Learn more about LocalStack’s AVP provider in our documentation.

Support for mocking service integrations with Step Functions

LocalStack can now be used as a replacement for AWS Step Functions Local testing with mocked service integrations. It supports tests with mocked task states and works with existing Step Functions Local setups. LocalStack also includes support for new Step Functions features like JSONata and Variables, and allows both mocked and emulated service integrations.

Set the SFN_MOCK_CONFIG environment variable to the path of the mock config file, mounted in the LocalStack container, that defines mock service integrations.

Learn more about mocking service integrations in the LocalStack documentation.

New LocalStack-native RDS provider

We’ve introduced a native RDS provider in LocalStack and made it the default. This replaces Moto-based CRUD operations with a more reliable setup. The new RDS provider has replaced previous Moto-based CRUD operations to align parity and behavior more closely with AWS.

Key updates include enhanced support for Parameter Groups, instance lifecycle operations (create, modify, start, stop, reboot), subnet and security group support, event subscriptions, option groups, snapshots, IAM authentication, proxy support, persistent storage, Neptune instance compatibility, and global tagging across all resources.

RDS state created in version 4.3 or earlier using Cloud Pods or standard persistence will not be compatible with the new provider introduced in version 4.4. Recreating the RDS state is recommended for compatibility.

Learn more about RDS in the LocalStack documentation.

New container-based Glue job executor

LocalStack now includes a container-based Glue job executor that runs Glue jobs inside a Docker environment. Previously, it used a pre-packaged binary with Spark and required components. The new executor uses the aws-glue-libs Docker image, providing better production parity, faster startup, and more reliable execution.

It supports:

Running Glue jobs in Docker containers
Isolated execution environments for each job
Running multiple jobs in parallel
Correct versioning for Spark, Hadoop, Python, Java, and related libraries
Improved startup time and offline execution

To use it, set GLUE_JOB_EXECUTOR=docker and GLUE_JOB_EXECUTOR_PROVIDER=v2 in your LocalStack configuration. This executor deprecates older Glue versions (0.9, 1.0, 2.0).

Learn more about Glue in LocalStack documentation.

New IAM service-specific credential APIs

IAM service-specific credential APIs have now been implemented in LocalStack. These APIs allow the creation and management of service-specific credentials for IAM users. LocalStack supports only CRUD (Create, Read, Update, Delete) operations for these credentials.

The newly supported APIs are:

Learn more about IAM in the LocalStack documentation.

New condition keys for IAM enforcement

LocalStack has added support for several new IAM condition keys to emulate fine-grained access control policies. IAM condition keys are used within policy statements to impose specific conditions under which permissions are granted or denied.

The newly supported condition keys in LocalStack include:

iam:PermissionBoundary
aws:RequestTag
aws:TagKeys
sts:ExternalId
iam:AWSServiceName
aws:PrincipalIsAWSService
aws:PrincipalServiceName
aws:username

These additions enable more precise testing of IAM policies that rely on these condition keys.

New enhancements in the KMS provider

LocalStack’s KMS provider now includes the following enhancements:

Enables custom_key_material usage for Elliptic Curve Cryptography (ECC) keys in the KMS service.
Adds the ability to decrypt data encrypted before a key rotation event by preserving the history of key material during RotateKeyOnDemand, maintaining access to all rotated KMS keys.
Improves KMS PSS signature generation by aligning salt length with RFC 4055, increasing compatibility with external cryptographic libraries.
Adds support for the dry_run parameter in the GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext APIs.

New enhancements in the EMR Serverless provider

LocalStack’s EMR Serverless provider now includes the following enhancements:

EMR Serverless jobs now accept program arguments when running scripts, allowing the reuse of functionality and parameterized execution.
Logs from EMR Serverless jobs are now sent to CloudWatch for better visibility into job execution and easier debugging of failures.

New enhancements in the CloudFront Lambda@Edge feature

LocalStack’s CloudFront Lambda@Edge feature now includes the following enhancements:

Added support for the IncludeBody parameter.
Added validations for supported Python and Node.js runtimes.

New enhancements in the Application Auto Scaling provider

LocalStack’s Application Auto Scaling provider now features support for tagging and untagging resources. This allows you to manage tags on your Application Auto Scaling resources, enabling better organization and management of your resources. The following APIs are now supported:

New cluster deployment configuration for MSF provider

Managed Service for Apache Flink cluster deployment on LocalStack now consists of two separate containers for JobManager and TaskManager. This configuration better emulates the distributed nature of Flink and how it behaves on AWS. Previously, both managers were run inside a single container with a shared filesystem.

Miscellaneous

Support for IAM transitive session tagging is now available. Tags marked as transitive on IAM sessions now propagate correctly and can be used for IAM policy enforcement.
Improvements to AppSync VTL template $utils helpers now include better support for $util.error and added support for $util.appendError.
Support for record filtering for MSK & Self-Managed Kafka Event Source Mappings.
Ruby 3.4 Lambda runtime is now supported in LocalStack.
Replication support for AWS::Route53::HostedZone is now available for the AWS Replicator tool.
Support for ListStateMachineAliases pagination is now available in Step Functions. This includes handling of the --next-token and --max-results parameters to paginate results when listing aliases for a state machine.
Implemented automatic registration of ECS tasks with AWS Cloud Map service discovery. Container IP addresses are now correctly registered in the service registry, enabling accurate service discovery and proper task-to-task communication.
Support for SES email confirmation from user pools is now available. User pools can now send confirmation emails to new users via SES automatically upon user creation.
Enhanced DeleteRepository operation in ECR to correctly honor the --force flag. When --force is specified, repositories containing images can now be deleted without requiring individual image deletion.
Enhanced CreateComputeEnvironment API in AWS Batch to automatically create an AWSBatchServiceRole if none is provided. This improves parity with AWS by matching the default behavior where the role is auto-created if not explicitly specified.
Enhanced domain name handling to properly normalize escaped character sequences in DNS names. This improves AWS parity by ensuring that all Route 53 encoded domain names are correctly processed before being passed to the DNS server.
Enhanced the OAuth2 authorization flow to generate unique state and code values for each login attempt. This improves CSRF protection for existing users and ensures compliance with OAuth2 specifications.
Deleting a FIFO message with an expired receipt handle now raises an error to achieve better parity with AWS.
Added X-Ray trace ID propagation from EventBridge to target services (Lambda and API Gateway), enabling end-to-end request tracing. This also ensures compatibility with existing trace header encoding.
The --profile flag can now be used anywhere in the CLI command, not just at the top level, improving compatibility with custom tooling.
Implemented support for USER_AUTH authentication flow type in Cognito, enabling SMS_OTP, PASSWORD, and PASSWORD_SRP challenge handling to match AWS behavior.

Conclusion

LocalStack 4.4 marks another significant step forward in our mission to provide a high-fidelity local AWS environment. The introduction of the Amazon Verified Permissions provider, the revamped native RDS implementation, and the new containerized Glue job executor are key highlights that offer developers more power and parity with AWS services. Coupled with the broad array of enhancements, this release empowers you to build and test your cloud applications with even greater confidence and efficiency.

We’re committed to continuously bridging the gap between local development and the cloud, and these updates reflect that dedication. Upgrade to LocalStack 4.4 today to leverage these new capabilities and accelerate your cloud development lifecycle!