AWS Replicator
Introduction
Section titled “Introduction”Infrastructure deployed on AWS often requires access to shared resources defined externally. For example a VPC defined by another team to contain the application infrastructure. This makes it harder to deploy applications into LocalStack as these resource dependencies must be deployed first. These dependencies may not live in IaC where deployment is easy, or accessing the IaC may not be easy. Some resources may be referred to by ARN, for example Secrets Manager secrets, but these ARNs are partly random meaning that simply creating a new resource in LocalStack will generate a resource with a different ARN.
LocalStack AWS Replicator creates identical copies of AWS resources in a running LocalStack instance. This means that external resources can easily be replicated before deploying the main application, and removes the need to change existing stacks or create custom infrastructure, making LocalStack setup easier.
Getting started
Section titled “Getting started”A valid LOCALSTACK_AUTH_TOKEN must be configured to start the LocalStack Pro image.
Retrieve credentials to access AWS
Section titled “Retrieve credentials to access AWS”The AWS Replicator needs read access to your AWS account and performs a limited set of read-only operations on supported resources. These operations can be limited by creating a minimal IAM role with just the policy actions required for replication, and providing credentials to assume this role.
See the supported resources section for details of what policy actions are required for each resource.
When the replication is triggered using the LocalStack CLI, which must run in a shell configured to access AWS. Here are some options:
If you have the AWS CLI v2 installed, the CLI will read credentials from your configured AWS_PROFILE.
export AWS_PROFILE=my-aws-profilelocalstack replicator ...If you have the AWS CLI v1 installed or no installation of the AWS CLI, the following environment variables must be set:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN(optional)AWS_DEFAULT_REGION
Trigger a replication job
Section titled “Trigger a replication job”Replication jobs can be triggered using the LocalStack CLI or an HTTP API. Both methods have two steps:
- Submit a replication job.
- Check the job status.
Using the LocalStack CLI
Section titled “Using the LocalStack CLI”The Replicator CLI is part of the LocalStack CLI. Follow the installation instructions to set it up.
To start a replication job, get the ARN of the resource to replicate. Then, trigger the job using the command:
export LOCALSTACK_AUTH_TOKEN=<auth token>export AWS_DEFAULT_REGION=...# if required# export AWS_ACCESS_KEY_ID=# export AWS_SECRET_ACCESS_KEY=localstack replicator start \ --resource-type <resource-type> \ --resource-identifier <identifier> \ [--target-account-id <account-id>] \ [--target-region-name <region-name>]This triggers the replication job. The output will look similar to:
{ "job_id": "50005865-1589-4f6d-a720-c86f5a5dd021", "state": "TESTING_CONNECTION", "error_message": null, "type": "SINGLE_RESOURCE", "replication_config": { "resource_type": "AWS::SSM::PARAMETER", "identifier": "myParameter" }}Using the HTTP API
Section titled “Using the HTTP API”To trigger replication via the HTTP API, send a POST request to http://localhost.localstack.cloud:4566/_localstack/replicator/jobs with the following payload:
{ "replication_type": "SINGLE_RESOURCE", "replication_job_config": { "resource_type": "<resource-type>", "identifier": "<identifier>" }, "source_aws_config": { "aws_access_key_id": "...", "aws_secret_access_key": "...", "aws_session_token": "...", // optional "region_name": "...", "endpoint_url": "..." // optional }, "target_aws_config": {} // optional, same shape as `source_aws_config`}Check Replication Job Status
Section titled “Check Replication Job Status”Replication jobs run asynchronously, so you need to poll their status to check when they finish.
Using the LocalStack CLI
Section titled “Using the LocalStack CLI”When creating a replication job, the response includes a job_id.
Use this ID to check the job status:
export LOCALSTACK_AUTH_TOKEN=<auth token>
localstack replicator status <job-id>This command returns the job status in JSON format, for example:
{ "job_id": "50005865-1589-4f6d-a720-c86f5a5dd021", "state": "SUCCEEDED", "error_message": null, "type": "SINGLE_RESOURCE", "replication_config": { "resource_type": "AWS::SSM::PARAMETER", "identifier": "myParameter" }}For long-running jobs, the CLI can poll the status until the job reaches a terminal state.
To wait for the job to finish, use the --follow flag.
Using the HTTP API
Section titled “Using the HTTP API”To check the status of a replication job via the HTTP API, send a GET request to http://localhost.localstack.cloud:4566/_localstack/replicator/jobs/<job-id>.
Quickstart
Section titled “Quickstart”This quickstart example creates an SSM parameter in AWS and replicates it to LocalStack.
To start, create the parameter in AWS.
This example uses an SSO profile named ls-sandbox for AWS configuration, and replicates resources from the eu-central-1 region.
AWS_PROFILE=ls-sandbox aws ssm put-parameter\ --name myparam \ --type String \ --value abc123{ "Version": 1, "Tier": "Standard"}AWS_PROFILE=ls-sandbox aws ssm get-parameters --names myparam{ "Parameters": [ { "Name": "myparam", "Type": "String", "Value": "abc123", "Version": 1, "LastModifiedDate": "2025-02-07T13:36:56.240000+00:00", "ARN": "arn:aws:ssm:eu-central-1:<account-id>:parameter/myparam", "DataType": "text" } ], "InvalidParameters": []}The SSM parameter has the ARN: arn:aws:ssm:eu-central-1:<account-id>:parameter/myparam.
Next, we can check that the parameter is not present in LocalStack using awslocal:
awslocal ssm get-parameters --name myparam{ "Parameters": [], "InvalidParameters": [ "myparam" ]}Next, trigger replication from AWS to LocalStack.
This example uses an SSO profile named ls-sandbox for AWS configuration.
LOCALSTACK_AUTH_TOKEN=<ls-auth-token> \ AWS_PROFILE=ls-sandbox \ localstack replicator start \ --resource-type AWS::SSM::Parameter \ --resource-identifier <identifier> \Configured credentials from the AWS CLI
{ "job_id": "9acdc850-f71b-4474-b138-1668eb8b8396", "state": "TESTING_CONNECTION", "error_message": null, "type": "SINGLE_RESOURCE", "replication_config": { "resource_type": "AWS::SSM::PARAMETER", "identifier": "myparam" }}You can check the replication job status using the job_id:
LOCALSTACK_AUTH_TOKEN=<ls-auth-token> \ localstack replicator status 9acdc850-f71b-4474-b138-1668eb8b8396{ "job_id": "9acdc850-f71b-4474-b138-1668eb8b8396", "state": "SUCCEEDED", "error_message": null, "type": "SINGLE_RESOURCE", "replication_config": { "resource_arn": "arn:aws:ssm:eu-central-1:<account-id>:parameter/myparam" }}The state is SUCCEEDED, indicating the replication job completed successfully.
The SSM parameter is now accessible.
awslocal ssm get-parameters --name myparam --region eu-central-1{ "Parameters": [ { "Name": "myparam", "Type": "String", "Value": "abc123", "Version": 1, "LastModifiedDate": 1738935663.08, "ARN": "arn:aws:ssm:eu-central-1:000000000000:parameter/myparam", "DataType": "text" } ], "InvalidParameters": []}The resource is replicated into the same AWS region by default.
Use the --target-region-name flag to change it.
By default, replication occurs in LocalStack account 000000000000.
Use the --target-account-id flag to specify a different account.
Supported Resources
Section titled “Supported Resources”The project is still in preview state and we welcome feedback and bug reports. We have opened a github issue where you can request and upvote to help us prioritize our efforts and support the resources with the most impact. For any other requests or reports, please open a new github issue.
| Resource Type | Service | Identifier | Required Actions | Arn Support |
|---|---|---|---|---|