Summary

LocalStack 4.4 introduces the Amazon Verified Permissions provider, a native RDS provider for better AWS parity, and a container-based Glue job executor. The release also includes Step Functions service integration mocking, expanded IAM features with service-specific credential APIs and condition keys, and updates to KMS, EMR Serverless, CloudFront Lambda@Edge, and Application Auto Scaling services.

AWS Features

• LocalStack now supports Amazon Verified Permissions (AVP) for managing fine-grained access using Cedar policies. You can test authorization logic locally and integrate with services like Cognito. Refer to our documentation to learn more. (🌟 enterprise)
• LocalStack now supports AWS Step Functions Local with mocked and emulated service integrations. It works with existing setups and includes support for JSONata, Variables, and mocked task states. Refer to our documentation to learn more.
• LocalStack now uses a new native RDS provider by default for better AWS parity. It adds support for advanced features like parameter groups, snapshots, IAM auth, proxies, and Neptune compatibility. (🌟 pro)
• LocalStack now runs Glue jobs in Docker using the aws-glue-libs image for better parity, faster startup, and isolated execution. Set GLUE_JOB_EXECUTOR=docker and GLUE_JOB_EXECUTOR_PROVIDER=v2 to enable it. (🌟 pro)
• Ruby 3.4 Lambda runtime is now supported in LocalStack.

Enhancements

• LocalStack now supports IAM service-specific credential APIs with full CRUD operations. Supported APIs include create, list, update, reset, and delete for service-specific credentials.
• LocalStack now supports additional IAM condition keys for fine-grained access control in policies. New keys include iam:PermissionBoundary, aws:RequestTag, sts:ExternalId, aws:username, and others.
• KMS provider now includes the following enhancements:
  • Enables custom_key_material usage for Elliptic Curve Cryptography (ECC) keys in the KMS service.
  • Adds ability to decrypt data encrypted before a key rotation event by preserving the history of key material during RotateKeyOnDemand, maintaining access to all rotated KMS keys.
  • Improves KMS PSS signature generation by aligning salt length with RFC 4055, increasing compatibility with external cryptographic libraries.
  • Adds support for the dry_run parameter in the GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext APIs.
• EMR Serverless provider now includes the following enhancements: (🌟 pro)
  • EMR Serverless jobs now accept program arguments when running scripts, allowing reuse of functionality and parameterized execution.
  • Logs from EMR Serverless jobs are now sent to CloudWatch for better visibility into job execution and easier debugging of failures.
• Cloudfront Lambda@Edge feature now includes the following enhancements: (🌟 pro)
  • Added support for the IncludeBody parameter.
  • Added validations for supported Python and Node.js runtimes.
• LocalStack now supports tagging for Application Auto Scaling resources. Supported APIs include TagResource, UntagResource, and ListTagsForResource. (🌟 pro)
• LocalStack now runs Apache Flink's JobManager and TaskManager in separate containers to better emulate AWS behavior. Previously, both ran in a single container with a shared filesystem. (🌟 pro)
• Support for IAM transitive session tagging is now available. Tags marked as transitive on IAM sessions now propagate correctly and can be used for IAM policy enforcement.
• Improvements to AppSync VTL template $utils helpers now include better support for $util.error and added support for $util.appendError. (🌟 pro)
• Support for record filtering for MSK & Self-Managed Kafka Event Source Mappings. (🌟 pro)
• Support for ListStateMachineAliases pagination is now available in Step Functions. This includes handling of the --next-token and --max-results parameters to paginate results when listing aliases for a state machine.
• Implemented automatic registration of ECS tasks with AWS Cloud Map service discovery. Container IP addresses are now correctly registered in the service registry, enabling accurate service discovery and proper task-to-task communication. (🌟 pro)
• Support for SES email confirmation from user pools is now available. User pools can now send confirmation emails to new users via SES automatically upon user creation. (🌟 pro)
• Enhanced DeleteRepository operation in ECR to correctly honor the --force flag. When --force is specified, repositories containing images can now be deleted without requiring individual image deletion. (🌟 pro)
• Enhanced CreateComputeEnvironment API in AWS Batch to automatically create an AWSBatchServiceRole if none is provided. This improves parity with AWS by matching the default behavior where the role is auto-created if not explicitly specified. (🌟 pro)
• Enhanced domain name handling to properly normalize escaped character sequences in DNS names. This improves AWS parity by ensuring that all Route 53 encoded domain names are correctly processed before being passed to the DNS server.
• Enhanced the OAuth2 authorization flow to generate unique state and code values for each login attempt. This improves CSRF protection for existing users and ensures compliance with OAuth2 specifications. (🌟 pro)
• Deleting a FIFO message with an expired receipt handle now raises an error to achieve better parity with AWS.
• Added X-Ray trace ID propagation from EventBridge to target services (Lambda and API Gateway), enabling end-to-end request tracing. This also ensures compatibility with existing trace header encoding.
• Implemented support for USER_AUTH authentication flow type in Cognito, enabling SMS_OTP, PASSWORD, and PASSWORD_SRP challenge handling to match AWS behavior. (🌟 pro)

LocalStack Features

• Replication support for AWS::Route53::HostedZone is now available for the AWS Replicator tool. (🌟 teams)
• The --profile flag can now be used anywhere in the CLI command, not just at the top level, improving compatibility with custom tooling.

Deprecations

• Older Glue versions (0.9, 1.0, 2.0) are now deprecated.
• RDS state created in version 4.3 or earlier using Cloud Pods or standard persistence will not be compatible with the new RDS provider introduced in version 4.4. Recreating the RDS state is recommended for compatibility. (🌟 pro)

What's Changed

Exciting New Features 🎉

• CloudFormation: [POC] Support Update Graph Modeling of Mappings and FindInMap by @MEPalma in #12432
• CloudFormation: POC Support for Modeling of Outputs Blocks in the Update Graph, Improved Handling of Intrinsic Function Types by @MEPalma in #12443
• Lambda: Added Ruby 3.4 Runtime by @anisaoshafi in #12458
• Fix(#12318): Fixes a bug in evaluation of JSONPath for wildcard and s… by @marcodallasanta in #12366
• CFn: WIP POC v2 executor by @simonrw in #12396
• Step Functions: Migrate v2 Test Suite to no_retry aws_client Fixture by @MEPalma in #12461
• Reapply reduce requests necessary for log publishing from lambda to cloudwatch logs by @dfangl in #12470
• KMS: fix RSA PSS signing issue for salt length by @sannya-singal in #12467
• [ESM] Re-initialize shards when NextShardIterator value is empty by @gregfurman in #12483
• KMS: add ability to decrypt data with all rotated keys by @sannya-singal in #12482
• CloudFormation: Update Graph Preprocessor by @MEPalma in #12447
• Step Functions: remove config variables for legacy provided removed in v4.0 by @MEPalma in #12492
• Step Functions Mocking: Add Support for Mounting Mocked Service Responses via MockConfigFile.json by @MEPalma in #12493
• KMS: enable _custom_key_material_ for ECC keys by @sannya-singal in #12504
• transcribe: add model path to vosk Model by @sannya-singal in #12479
• Step Functions: Increase Retry Attempts on Service Integrations for Resilience Against Transient Network Errors by @MEPalma in #12512
• Support IAM transitive session tagging by @dfangl in #12508
• feat: propagate x-ray trace id to event bridge targets by @maxhoheiser in #12481
• CloudFormation Engine v2: Base Mappings and Conditions tests for Update Graph and PreProc by @MEPalma in #12527
• CloudFormation Engine V2: Improve delta computation of properties, conditional resolution, and physical resources ref by @MEPalma in #12533
• Step Functions: Surface Support for Mocked Responses by @MEPalma in #12525
• fix links for issue & PR messages by @HarshCasper in #12541
• Lambda: fix transient connection errors on first container invoke with retry logic by @MEPalma in #12522
• [ESM] Support discarding events exceeding MaxRecordAgeInSeconds by @gregfurman in #12531
• Cloud Formation Engine v2: Improve Computation of Ref Functions and PhysicalResourceIDs Listing by @MEPalma in #12535
• Clarify coverage error messages to distinguish license and emulation limits by @MEPalma in #12547
• Step Functions: Decrease LocalStack Sampling Delays to Speed Up Tests Suite by @MEPalma in #12550
• Cloud Formation v2 Engine: Support for Default fields in Parameters by @MEPalma in #12537
• feat: add current region and account as input to _proxy_capture_input_event by @maxhoheiser in #12554
• Step Functions: Improve Mocked Response Integration by @MEPalma in #12553
• Step Functions: Fix Mock Test for Multi-Region by @MEPalma in #12562
• Step Functions: Mock Mode Improvements by @MEPalma in #12560
• Bump moto-ext to 5.1.4.post1 by @viren-nadkarni in #12563
• Step Functions: Add Telemetry for SFN_MOCK_CONFIG Usage by @MEPalma in #12584

Other Changes

• add localstack 4.3 blog to the README by @HarshCasper in #12445
• Fix flaky lambda test event retry reserved concurrency by @joe4dev in #12441
• CFn: add tests for capturing change set process by @simonrw in #12438
• Admin: Improve license metadata by @bblommers in #12455
• Update CODEOWNERS by @localstack-bot in #12454
• Deleting a FIFO message with an expired receipt handle should raise an error by @baermat in #12442
• S3: fix casing of PreSignedPost validation by @bentsku in #12449
• Add Codeconnections to the client types by @giograno in #12464
• Fix lambda timeout race condition by @dfangl in #12465
• Skip flaky transcribe tests by @tiurin in #12473
• Add VerifiedPermissions to the client types by @bentsku in #12474
• Fix subnet tags going missing by @jw2 in #12459
• Secret Manager: Solve the issue for rotate secret after sub-sequent r… by @mabuaisha in #12391
• Docker: Improve error messages around port-bound check by @bblommers in #12477
• Admin: Update License by @bblommers in #12489
• Bump moto-ext to 5.1.1.post2 by @viren-nadkarni in #12484
• Scheduled GitHub Action to generate artifacts with feature catalog files by @k-a-il in #12501
• Add new volume dir mount option, rename VolumeBind to BindMount by @dfangl in #12471
• CFn: Add Lambda Function LoggingConfig by @anisaoshafi in #12480
• Added github action to validate feature catalog files by @k-a-il in #12475
• Hyphen to snake-case util function by @gentris in #12463
• Core: Add py.typed, Remove docs from source dist by @bblommers in #12232
• EC2: generate security group ids using id manager concept by @simonrw in #12494
• unpin pytest-httpserver, fix patches by @alexrashed in #12507
• skip flaky tests in transcribe by @sannya-singal in #12509
• SES: add ARN utility for SES identity by @giograno in #12513
• APIGW: migrate TestInvokeMethod to NextGen by @bentsku in #12514
• add AVP to list of CFN composite quirks by @bentsku in #12517
• Add profile as an option to every click command by @jw2 in #12500
• Added GH action to build community image by @k-a-il in #12515
• StepFunctions: ListStateMachineAliases pagination support by @alexlave100 in #12496
• CFn executor v2: provide previous payload correctly by @simonrw in #12511
• [AWS][Transcribe] Adding fix for validating Audio length by @brunodmartins in #12450
• Bump moto-ext to 5.1.3.post1 by @viren-nadkarni in #12499
• revert removal of get_resource_type method by @cloutierMat in #12534
• Add error handling if lambda logs are not received from the environment by @dfangl in #12521
• apply fix for podman container labels dict by @TheWolfNL in #12526
• Admin: Enable mypy during linting by @bblommers in #12532
• APIGW: validate REST API custom id tag by @bentsku in #12539
• Add dry_run support to GenerateDataKeyPair/GenerateDataKeyPairWithoutPlaintext. by @macpak in #12505
• fix IAM.SimulatePrincipalPolicy by @pinzon in #12542
• APIGW: fix Host regex to allow hyphen and remove restriction by @bentsku in #12549
• CFn v2: support outputs by @simonrw in #12536
• Update lambda runtime init by @dfangl in #12555
• Added new codeowners for CircleCI and GithubActions by @k-a-il in #12558
• [ESM] Fix flaky discarding record age test by @gregfurman in #12552
• Improve stream poller exception logging by @joe4dev in #12520
• CFn: add v2 tests to CI by @simonrw in #12556
• refactor Counter usage in APIGW by @bentsku in #12569
• Migrate full-run integration tests from CircleCI to GH Actions except docker push and push of all artifacts by @k-a-il in #12545
• remove usage analytics module by @vittoriopolverino in #12573
• Switch to using kclpy-ext by @silv-io in #12567
• APIGW: fix selection pattern for AWS Lambda integration by @bentsku in #12580
• Events: add classmethod to recreate services by @bentsku in #12566
• APIGW: fix binaryMediaTypes when importing/updating REST APIs by @bentsku in #12586
• Migrate MA/MR pipeline from CircleCI to GH Actions by @sannya-singal in #12579
• Added main workflow to trigger full-run workflow and push results to docker registry and pypi by @k-a-il in #12570
• Fix provisioned concurrency set on Lambda alias by @dfangl in #12592
• Defer CDK imports in infra provisioning by @dfangl in #12591
• Added secrets definition for docker pull action in aws-tests and aws-mamr tests by @k-a-il in #12593

New Contributors

• @marcodallasanta made their first contribution in #12366
• @jw2 made their first contribution in #12459
• @mabuaisha made their first contribution in #12391
• @gentris made their first contribution in #12463
• @alexlave100 made their first contribution in #12496
• @brunodmartins made their first contribution in #12450
• @TheWolfNL made their first contribution in #12526
• @macpak made their first contribution in #12505

Full Changelog: v4.3.0...v4.4.0