Skip to content

IAM Coverage

In principle, LocalStack supports all operations. However, not all services and their operations have been tested yet. The table below lists all IAM services and operations that have been tested, noting if they were ever denied or allowed during testing. It only includes operations performed with a principal, not as root, so test setups are excluded.

NameoperationAccess deniedAccess allowed
acmListCertificatesYesYes
apigatewayDeleteRestApiNoYes
apigatewayCreateRestApiYesYes
backupDescribeBackupVaultYesYes
batchCreateComputeEnvironmentNoYes
cloudformationListStacksYesYes
cloudwatchPutMetricDataYesYes
dynamodbDescribeTableNoYes
dynamodbCreateTableYesYes
dynamodbDeleteTableNoYes
ecrDescribeImagesYesNo
efsDescribeFileSystemsYesYes
esDescribeElasticsearchDomainsYesYes
eventsDeleteEventBusNoYes
eventsPutEventsYesYes
eventsCreateEventBusYesYes
kinesisCreateStreamYesYes
kinesisDeleteStreamNoYes
kmsCreateKeyYesYes
kmsDescribeKeyYesYes
lambdaDeleteFunctionNoYes
lambdaInvokeYesYes
lambdaGetLayerVersionYesYes
lambdaCreateFunctionYesYes
logsCreateLogGroupYesYes
logsPutLogEventsNoYes
logsCreateLogStreamNoYes
logsDeleteLogGroupNoYes
redshiftDescribeClustersYesYes
redshift-dataListDatabasesYesYes
s3UploadPartNoYes
s3GetObjectYesYes
s3DeleteBucketNoYes
s3CreateBucketYesYes
s3ListBucketsYesYes
s3CreateMultipartUploadYesYes
s3CompleteMultipartUploadNoYes
s3DeleteObjectNoYes
s3ListObjectsYesYes
s3PutObjectYesYes
secretsmanagerCreateSecretYesYes
secretsmanagerGetSecretValueYesYes
secretsmanagerDeleteSecretNoYes
snsPublishNoYes
sqsGetQueueAttributesYesNo
sqsCreateQueueYesYes
sqsSendMessageYesYes
sqsReceiveMessageYesYes
sqsDeleteQueueNoYes
stepfunctionsDeleteStateMachineNoYes
stepfunctionsCreateStateMachineYesYes
stsGetCallerIdentityNoYes
Source ServiceTarget ServiceFeatureOperationImplementedTested
snssqsSNS subscriptionsqs.SendMessageYesYes
snslambdaSNS subscriptionlambda.InvokeYesYes
lambdasqsEvent destinationssqs.SendMessageYesYes
lambdalogsStoring Lambda logslogs.CreateLogGroup, logs.CreateLogStream, logs.PutLogEventsYesNo
lambdasnsEvent destinationssns.PublishYesNo
lambdasqsEvent source mappingYesYes
lambdakinesisEvent source mappingYesYes
lambdadynamodbEvent source mappingYesYes
lambdakafkaEvent source mappingNoNo
eventslambdaEvent rule targetYesYes
snssesSNS subscriptionYesYes
snsfirehoseSNS subscriptionYesYes
eventssnsEvent rule targetYesYes
eventssqsEvent rule targetYesYes
eventslogsEvent rule targetYesYes
eventsfirehoseEvent rule targetYesYes
eventseventsEvent rule targetYesYes
eventskinesisEvent rule targetYesYes
eventsstepfunctionsEvent rule targetYesYes
apigatewaylambdaAPI integrationYesYes
apigatewaydynamodbAPI integrationYesYes
apigatewaykinesisAPI integrationYesYes
apigateways3API integrationNoNo
apigatewaysnsAPI integrationNoYes
apigatewaysqsAPI integrationYesYes
apigatewaystepfunctionsAPI integrationNoNo
apigatewayappsyncAPI integrationNoNo
cloudformation*Resource ModificationNoNo
lambdastsAssuming execution roleYesYes
s3sqsBucket notificationYesYes
s3snsBucket notificationYesYes
Permission TypeDetails
Identity Based Permissions
- Roles
- Users
Resource Based Permissions
- Lambda
- ECR (Elastic Container Registry)
- EFS (Elastic File System)
- SQS (Simple Queue Service)
- SNS (Simple Notification Service)
- KMS (Key Management Service)
- S3 (Simple Storage Service)
- Backup
- Events
- Secrets Manager
- IAM/STS (Identity and Access Management/Security Token Service)
Permission Boundaries
- Roles
- Users
CategoryDescription
VersionNot evaluated, but only "2012-10-17" supported/tested.
IdThe policy ID is currently ignored.
StatementsSupported with the following policy elements:
EffectFully supported. Allow + Deny
SidCurrently ignored
Action, NotActionSupported including placeholder *
Principal, NotPrincipalSupported principals:
- Service
- (Assumed) role (ARN only)
- User (ARN only)
Organizations, Federated, CanonicalUsers etc. are currently not supported
Resource, NotResourceIn general supported, including placeholders * and ?.
No support for policy variables
ConditionSupported condition operators:
- StringEquals
- StringEqualsIgnoreCase
- StringLike
- ArnLike/ArnEquals
Supported condition keys:
- aws:SourceArn
  • CloudFormation stack permissions do not work as expected.