Cross-Account and Cross-Region Access
LocalStack automatically namespaces all resources based on the account ID and, in some cases, the region. However, there are certain resource types that can be accessed across multiple accounts or regions. This document provides information to help design such setups.
NoteCross-account support in LocalStack is being actively developed. Please report any issues on our GitHub issue tracker.
Resources that can be accessed across multiple accounts are always identified by their Amazon Resource Names (ARNs). The full list of resources and operations that allow cross-account access are listed below.
NoteLocalStack does not enforce IAM for cross-account access by default. Use the
ENFORCE_IAMconfiguration option to enable it.
It is possible to create peered VPCs and transit gateway peering attachments that are in a different region or account than the requester.
Ensure that the
PeerOwnerId arguments are correctly set when creating these resources.
Lambda functions and layers
Like AWS, LocalStack S3 has a bucket namespace which is shared by all accounts. This means that the bucket name has to be globally unique.
On AWS, all operations except
UntagQueue allow cross-account access.
On LocalStack, all operations allow cross-account access.
AWS provides individual API endpoints for each region, and typically, resources can only be accessed within their respective regions.
On the other hand, LocalStack operates on a unified API endpoint, allowing interactions with services across regions.