Skip to content

AWS Replicator

Infrastructure deployed on AWS often requires access to shared resources defined externally. For example a VPC defined by another team to contain the application infrastructure. This makes it harder to deploy applications into LocalStack as these resource dependencies must be deployed first. These dependencies may not live in IaC where deployment is easy, or accessing the IaC may not be easy. Some resources may be referred to by ARN, for example Secrets Manager secrets, but these ARNs are partly random meaning that simply creating a new resource in LocalStack will generate a resource with a different ARN.

LocalStack AWS Replicator creates identical copies of AWS resources in a running LocalStack instance. This means that external resources can easily be replicated before deploying the main application, and removes the need to change existing stacks or create custom infrastructure, making LocalStack setup easier.

A valid LOCALSTACK_AUTH_TOKEN must be configured to start the LocalStack Pro image.

The AWS Replicator needs read access to your AWS account and performs a limited set of read-only operations on supported resources. These operations can be limited by creating a minimal IAM role with just the policy actions required for replication, and providing credentials to assume this role.

See the supported resources section for details of what policy actions are required for each resource.

When the replication is triggered using the LocalStack CLI, which must run in a shell configured to access AWS. Here are some options:

If you have the AWS CLI v2 installed, the CLI will read credentials from your configured AWS_PROFILE.

Terminal window
export AWS_PROFILE=my-aws-profile
localstack replicator ...

Replication jobs can be triggered using the LocalStack CLI or an HTTP API. Both methods have two steps:

  1. Submit a replication job.
  2. Check the job status.

The Replicator CLI is part of the LocalStack CLI. Follow the installation instructions to set it up.

To start a replication job, get the ARN of the resource to replicate. Then, trigger the job using the command:

Terminal window
export LOCALSTACK_AUTH_TOKEN=<auth token>
export AWS_DEFAULT_REGION=...
# if required
# export AWS_ACCESS_KEY_ID=
# export AWS_SECRET_ACCESS_KEY=
localstack replicator start \
--resource-type <resource-type> \
--resource-identifier <identifier> \
[--target-account-id <account-id>] \
[--target-region-name <region-name>]

This triggers the replication job. The output will look similar to:

{
"job_id": "50005865-1589-4f6d-a720-c86f5a5dd021",
"state": "TESTING_CONNECTION",
"error_message": null,
"type": "SINGLE_RESOURCE",
"replication_config": {
"resource_type": "AWS::SSM::PARAMETER",
"identifier": "myParameter"
}
}

To trigger replication via the HTTP API, send a POST request to http://localhost.localstack.cloud:4566/_localstack/replicator/jobs with the following payload:

{
"replication_type": "SINGLE_RESOURCE",
"replication_job_config": {
"resource_type": "<resource-type>",
"identifier": "<identifier>"
},
"source_aws_config": {
"aws_access_key_id": "...",
"aws_secret_access_key": "...",
"aws_session_token": "...", // optional
"region_name": "...",
"endpoint_url": "..." // optional
},
"target_aws_config": {} // optional, same shape as `source_aws_config`
}

Replication jobs run asynchronously, so you need to poll their status to check when they finish.

When creating a replication job, the response includes a job_id. Use this ID to check the job status:

Terminal window
export LOCALSTACK_AUTH_TOKEN=<auth token>
localstack replicator status <job-id>

This command returns the job status in JSON format, for example:

{
"job_id": "50005865-1589-4f6d-a720-c86f5a5dd021",
"state": "SUCCEEDED",
"error_message": null,
"type": "SINGLE_RESOURCE",
"replication_config": {
"resource_type": "AWS::SSM::PARAMETER",
"identifier": "myParameter"
}
}

For long-running jobs, the CLI can poll the status until the job reaches a terminal state. To wait for the job to finish, use the --follow flag.

To check the status of a replication job via the HTTP API, send a GET request to http://localhost.localstack.cloud:4566/_localstack/replicator/jobs/<job-id>.

This quickstart example creates an SSM parameter in AWS and replicates it to LocalStack.

To start, create the parameter in AWS. This example uses an SSO profile named ls-sandbox for AWS configuration, and replicates resources from the eu-central-1 region.

Terminal window
AWS_PROFILE=ls-sandbox aws ssm put-parameter\
--name myparam \
--type String \
--value abc123
{
"Version": 1,
"Tier": "Standard"
}
Terminal window
AWS_PROFILE=ls-sandbox aws ssm get-parameters --names myparam
{
"Parameters": [
{
"Name": "myparam",
"Type": "String",
"Value": "abc123",
"Version": 1,
"LastModifiedDate": "2025-02-07T13:36:56.240000+00:00",
"ARN": "arn:aws:ssm:eu-central-1:<account-id>:parameter/myparam",
"DataType": "text"
}
],
"InvalidParameters": []
}

The SSM parameter has the ARN: arn:aws:ssm:eu-central-1:<account-id>:parameter/myparam.

Next, we can check that the parameter is not present in LocalStack using awslocal:

Terminal window
awslocal ssm get-parameters --name myparam
{
"Parameters": [],
"InvalidParameters": [
"myparam"
]
}

Next, trigger replication from AWS to LocalStack. This example uses an SSO profile named ls-sandbox for AWS configuration.

Terminal window
LOCALSTACK_AUTH_TOKEN=<ls-auth-token> \
AWS_PROFILE=ls-sandbox \
localstack replicator start \
--resource-type AWS::SSM::Parameter \
--resource-identifier <identifier> \

Configured credentials from the AWS CLI

{
"job_id": "9acdc850-f71b-4474-b138-1668eb8b8396",
"state": "TESTING_CONNECTION",
"error_message": null,
"type": "SINGLE_RESOURCE",
"replication_config": {
"resource_type": "AWS::SSM::PARAMETER",
"identifier": "myparam"
}
}

You can check the replication job status using the job_id:

Terminal window
LOCALSTACK_AUTH_TOKEN=<ls-auth-token> \
localstack replicator status 9acdc850-f71b-4474-b138-1668eb8b8396
{
"job_id": "9acdc850-f71b-4474-b138-1668eb8b8396",
"state": "SUCCEEDED",
"error_message": null,
"type": "SINGLE_RESOURCE",
"replication_config": {
"resource_arn": "arn:aws:ssm:eu-central-1:<account-id>:parameter/myparam"
}
}

The state is SUCCEEDED, indicating the replication job completed successfully. The SSM parameter is now accessible.

Terminal window
awslocal ssm get-parameters --name myparam --region eu-central-1
{
"Parameters": [
{
"Name": "myparam",
"Type": "String",
"Value": "abc123",
"Version": 1,
"LastModifiedDate": 1738935663.08,
"ARN": "arn:aws:ssm:eu-central-1:000000000000:parameter/myparam",
"DataType": "text"
}
],
"InvalidParameters": []
}

The resource is replicated into the same AWS region by default. Use the --target-region-name flag to change it. By default, replication occurs in LocalStack account 000000000000. Use the --target-account-id flag to specify a different account.

The project is still in preview state and we welcome feedback and bug reports. We have opened a github issue where you can request and upvote to help us prioritize our efforts and support the resources with the most impact. For any other requests or reports, please open a new github issue.

Resource Type
Service
Identifier
Required Actions
Arn Support
AWS::EC2::SecurityGroupec2GroupId
cloudformation:GetResource
ec2:DescribeSecurityGroups
✔️
AWS::EC2::Subnetec2SubnetId
cloudformation:GetResource
ec2:DescribeSubnets
✔️
AWS::EC2::VPCec2VpcId
cloudformation:GetResource
ec2:DescribeVpcs
✔️
AWS::ECR::RepositoryecrRepositoryName:<ImageTag[Optional]>
cloudformation:GetResource
ecr:BatchCheckLayerAvailability
ecr:BatchGetImage
ecr:DescribeRepositories
ecr:GetAuthorizationToken
ecr:GetDownloadUrlForLayer
ecr:GetLifecyclePolicy
ecr:GetRepositoryPolicy
ecr:ListTagsForResource
✔️
AWS::IAM::PolicyiamArn
iam:GetPolicy
✔️
AWS::IAM::RoleiamRoleName
cloudformation:GetResource
iam:GetRole
✔️
AWS::KMS::KeykmsKeyId
cloudformation:GetResource
kms:DescribeKey
✔️
AWS::Lambda::LayerVersionlambdaLayerVersionArn
cloudformation:GetResource
lambda:GetLayerVersion
✔️
AWS::SSM::ParameterssmName
cloudformation:GetResource
ssm:GetParameters
✔️
AWS::SecretsManager::SecretsecretsmanagerArn
cloudformation:GetResource
secretsmanager:DescribeSecret
✔️