Identity and Access Management (IAM)

Get started with AWS Identity and Access Management (IAM) on LocalStack

  4 minute read  

Introduction

Identity and Access Management (IAM) is a web service provided by Amazon Web Services (AWS) that enables users to control access to AWS resources securely. IAM allows organizations to create and manage AWS users, groups, and roles, defining granular permissions to access specific AWS services and resources. By centralizing access control, administrators can enforce the principle of least privilege, ensuring users have only the necessary permissions for their tasks.

LocalStack supports IAM via the Community offering, allowing you to use the IAM APIs in your local environment to create and manage users, groups, and roles, granting permissions that adhere to the principle of least privilege. The supported APIs are available on our API coverage page, which provides information on the extent of IAM’s integration with LocalStack.

Getting started

This guide is designed for users new to IAM and assumes basic knowledge of the AWS CLI and our awslocal wrapper script.

Start your LocalStack container using your preferred method. We will demonstrate how you can create a new user named test, create an access key pair for the user, and assert that the user is recognized after the access keys are configured in the environment.

By default, in the absence of custom credentials configuration, all requests to LocalStack run under the administrative root user. Run the following command to use the GetCallerIdentity API to confirm that the request is running under the root user:

$ awslocal sts get-caller-identity

You can see an output similar to the following:

{
    "UserId": "AKIAIOSFODNN7EXAMPLE",
    "Account": "000000000000",
    "Arn": "arn:aws:iam::000000000000:root"
}

You can now create a new user named test using the CreateUser API. Run the following command:

$ awslocal iam create-user --user-name test

You can now create an access key pair for the user using the CreateAccessKey API. Run the following command:

$ awslocal iam create-access-key --user-name test

You can see an output similar to the following:

{
    "AccessKey": {
        "UserName": "test",
        "AccessKeyId": "LKIAQAAAAAAAGFWKCM5F",
        "Status": "Active",
        "SecretAccessKey": "DUulXk2N2yD6rgoBBR9A/5iXa6dBcLyDknr925Q5",
        "CreateDate": "2023-07-25T09:36:51+00:00"
    }
}
...

You can save te AccessKeyId and SecretAccessKey values, and export them in the environment to run commands under the test user. Run the following command:

$ export AWS_ACCESS_KEY_ID=LKIAQAAAAAAAGFWKCM5F AWS_SECRET_ACCESS_KEY=DUulXk2N2yD6rgoBBR9A/5iXa6dBcLyDknr925Q5
$ awslocal sts get-caller-identity
{
    "UserId": "b2yxf5g824zklfx5ry8o",
    "Account": "000000000000",
    "Arn": "arn:aws:iam::000000000000:user/test"
}

You can see that the request is now running under the test user.

Resource Browser

The LocalStack Web Application provides a Resource Browser for managing IAM users, groups, and roles. You can access the Resource Browser by opening the LocalStack Web Application in your browser, navigating to the Resources section, and then clicking on IAM under the Security Identity Compliance section.

IAM Resource Browser

The Resource Browser allows you to perform the following actions:

  • Create User, Group, Role, and Policy: Create a new IAM user, group, or role by clicking the top-level Create button and filling out the form.
  • View User, Group, Role, and Policy Details: Click on any of the listed resources to view its details by clicking on the desired User, Group, Role, or Policy.
  • Edit User, Group, Role, and Policy Details: Click on any listed resources to edit its details by clicking on the desired User, Group, Role, or Policy.
  • Delete User, Group, Role, and Policy: Select any listed resources to delete them by clicking the Actions button and selecting Remove Selected.

Supported APIs

IAM security enforcement is comprehensively available for all AWS APIs in LocalStack and has undergone thorough testing across multiple services. The services that have been rigorously tested include:

  • ACM
  • API Gateway
  • CloudFormation
  • CloudWatch (metrics/events/logs)
  • DynamoDB
  • DynamoDB Streams
  • Elasticsearch Service
  • EventBus, Kinesis
  • KMS
  • Lambda
  • Redshift
  • S3
  • SecretsManager
  • SNS
  • SQS

Examples

The following code snippets and sample applications provide practical examples of how to use IAM in LocalStack for various use cases:


Last modified November 16, 2023: Prepare docs for AWS re:Invent release (#883) (9b227b6cb)