Summary

LocalStack 4.12 is now available! This release introduces Lambda Managed Instances, enhanced Step Functions unit testing capabilities, expanded Glue API support with user-defined functions and column statistics, and Network Load Balancer TCP listener emulation. Additional enhancements include EventBridge Pipes input transformation, Application Load Balancer HTTPS targets, improved IAM policy simulation, and updates across S3 Tables, CloudWatch Logs, and multiple AWS services.

AWS Features

• LocalStack now supports Lambda Managed Instances, a new Lambda execution mode that allows for predictable pricing when handling a high volume of Lambda invocations. Learn more in our blog post.
• LocalStack now provides comprehensive support for unit testing AWS Step Functions via enhanced TestState API capabilities. Learn more in our blog post.

Enhancements

• Upgraded the kinesis-mock version from 0.5.1 to 0.5.2.
• Added support in CloudFormation v2 for List<AWS::EC2::SubnetId> template parameters.
• Added support for additional RSA key lengths and several EC key types in ACM certificates.
• Added support for the EU LocationConstraint in the S3 CreateBucket operation.
• Added support for Airflow 3.0.6 in Managed Workflows for Apache Airflow (MWAA) provider. (🌟 ultimate)
• Added support for the GetInstanceUefiData API in the EC2 provider. (🌟 base)
• Implemented support for specifying Tags during the S3 CreateBucket operation, and added support for the TagCount field in HeadObject responses.
• Added configurable wait-time controls for CloudFormation resource polling (CFN_NO_WAIT_ITERATIONS) and reduced default sleep intervals, meaning that deploy times for large stacks should be reduced.
• Added configuration options to customise the Libvirt network (EC2_LIBVIRT_NETWORK) and storage pool (EC2_LIBVIRT_POOL) used by EC2, instead of assuming the default names. (🌟 enterprise)
• Cognito now supports enforcing HTTPS in OAuth and federated login flows by honouring USE_SSL=1, ensuring all generated authentication URLs use https://. (🌟 base)
• Added support for ECS Managed EC2 Instances capacity providers, including CRUD operations, improved status responses, and validation during task execution. (🌟 base)
• Added support for the following S3 Control tagging operations for S3 buckets:
  • ListTagsForResource
  • TagResource
  • UntagResource
• Added support for the ListLogGroups operation in CloudWatch Logs.
• EventBridge Pipes now supports input transformation for enrichment, including proper handling of JSON arrays and quote stripping for plain text templates. (🌟 ultimate)
• Application Load Balancers now support HTTPS targets in target groups, with the load balancer skipping SSL verification for HTTPS targets, matching AWS behavior where self-signed certificates are accepted. (🌟 base)
• Improved the IAM SimulatePrincipalPolicy operation to use the IAM Enforcement Engine, providing more accurate policy evaluation decisions. Support for roles and groups as principals has been added. (🌟 base)
• Network Load Balancers now support TCP listener emulation, enabling basic NLB functionality for local testing. A new proxy manager handles the creation and lifecycle of TCP proxies for NLB listeners. (🌟 base)
• LocalStack’s S3 Tables provider now includes the following enhancements: (🌟 ultimate)
  • Added support for the ListTagsForResource API.
  • Added support for encryption configuration APIs at both bucket and table levels. Actual encryption enforcement is not yet implemented.
• Added support for managing user-defined functions in Glue with the following APIs: (🌟 ultimate)
  • CreateUserDefinedFunction
  • GetUserDefinedFunction
  • UpdateUserDefinedFunction
  • DeleteUserDefinedFunction
  • GetUserDefinedFunctions
• Added support for managing column statistics for tables in Glue with the following APIs: (🌟 ultimate)
  • UpdateColumnStatisticsForTable
  • GetColumnStatisticsForTable
  • DeleteColumnStatisticsForTable

What's Changed

Exciting New Features 🎉

• S3Control: implement Tagging support for S3 Bucket by @bentsku in #13435
• [SFN] Add new TestState API capabilities by @tiurin in #13418
• Extend Moto exception translation to cover more error types by @viren-nadkarni in #13414
• Add Lambda Managed Instances by @viren-nadkarni in #13440
• Sns/v2 publish continued by @baermat in #13408
• S3: Support EU Bucket Location Constraint for CreateBucket by @aidehn in #13450
• implemented phone ops, added tests by @baermat in #13449
• Use catalog in CloudFormation CreateStack and save errors for DescribeStack by @silv-io in #13321
• ecs/add service principal by @cloutierMat in #13474

Other Changes

• Update banner on README.md by @remotesynth in #13421
• S3: fix change in behavior in CreateBucketConfiguration by @bentsku in #13427
• S3: add support for Tags in CreateBucket by @bentsku in #13428
• S3: support TagCount in HeadObject by @bentsku in #13429
• Fix version evaluation of boto3 in asf update action by @silv-io in #13442
• chore: define explicit state containers for providers by @bentsku in #13423
• Pass DockerHub credentials to test containers by @sannya-singal in #13434
• Lambda: Validate capacity provider in create_function by @anisaoshafi in #13445
• Lambda: Raise error when function added a capacity provider by @anisaoshafi in #13447
• chore: define rest of explicit state containers for providers by @bentsku in #13433
• update kinesis-mock from 0.5.1 to 0.5.2 by @alexrashed in #13448
• fix/external client CA bundle by @cloutierMat in #13451
• [SFN][TestState] Make roleArn optional by @tiurin in #13459
• [SFN][TestState] Fix state context tests MA/MR run failure by @tiurin in #13460
• CFn: configure wait time for polling resources by @simonrw in #13455
• [SFN][TestState] Add validations for mock presence depending on state type by @tiurin in #13457
• [SFN][Tes...

What's Changed

Other Changes

• fix minimum click version for used CLI features by @alexrashed in #13420

Full Changelog: v4.11.0...v4.11.1

New Lambda Runtime Support

LocalStack for AWS 4.11 includes several Lambda runtime updates including:

• Python 3.14
• Java 25
• Node.js 24

You can learn more about deploying Lambdas to LocalStack in our documentation and more about Lambda supported runtimes in the AWS documentation.

Improved KMS Support

AWS Key Management Service (KMS allows you to easily create, control, and manage the cryptographic keys used to encrypt and protect your data across your applications and AWS resources. LocalStack for AWS 4.11 adds to our already extensive KMS coverage by adding support for a recipient in KMS decrypt and on-demand key rotation for external keys.

KMS Decrypt Recipient

LocalStack for AWS 4.11 now supports the KMS Decrypt Recipient field is used by AWS Nitro Enclaves to decrypt sensitive keys without the host being able to read them. You can read more about this flow in the KMS Decrypt documentation.

KMS On-demand Key Rotation

KMS: On Demand Key Rotation for Imported Key Material
Earlier this year, AWS made it possible to import custom key material into external keys thereby allowing use of KeyRotationOnDemand with external KMS keys. This capability is now also supported in LocalStack for AWS as of 4.11.

Expanded API Support for MSK, S3 Tables and CodePipeline

At LocalStack, we are always striving to expand our AWS API coverage to ensure our customers can accurately test their complete end-to-end workflow. LocalStack for AWS 4.11 continues this effort with expanded API support for a number of services.

MSK

Tagging resources in Amazon Managed Streaming for Apache Kafka (MSK) is a powerful and simple way to manage, organize, and control access to your resources. LocalStack for AWS 4.11 inclues support for tagging MSK Resources.

API operations that were added include:

• TagResource
• UntagResource
• ListTagsForResource

For details on using MSK within LocalStack as well as full API coverage details, visit our MSK documentation.

S3 Tables

Amazon S3 Tables provide support APIs that allow users to configure, monitor, and control the management and performance of individual tables. As of LocalStack for AWS 4.11, we support the following S3 Tables support APIs:

• GetTableBucketMaintenanceConfiguration
• PutTableBucketMaintenanceConfiguration
• GetTableMaintenanceConfiguration
• PutTableMaintenanceConfiguration

Note that the APIs accept, validate, store, and return maintenance configurations, but the actual maintenance operations (file removal, compaction, snapshot management) are not actively executed.

For more details on using S3 Tables in LocalStack, check our S3 Tables documentation.

CodePipeline

Our team at LocalStack regularly monitors API usage to help identify gaps in API coverage for actively requested APIs. One such missing operation recently identified by our team was the GetPipelineState operation in CodePipeline used to retrieve the state of a pipeline, including the stages and actions. LocalStack for AWS 4.11 resolves this API coverage gap.

For information about how to use CodePipeline within LocalStack, including full API coverage details, visit our CodePipeline documentation.

RDS Support for pgvector

LocalStack continues to improve upon its capabilities in building and testing artificial intelligence (AI) and machine learning (ML) applications. AWS previously announced support for the pgvector extension for Amazon Relational Database Service (RDS) for PostgreSQL. This extension is used to store embeddings from ML models in order to more efficiently perform similarity searches. With LocalStack for AWS 4.11, the pgvector extension is now installed by default when installing a version of Postgres allowing improved emulation of ML workloads.

Enhanced EKS Persistence

Persistence on LocalStack allows you to save and even share the state of your LocalStack instance. This can enable quick and easy setup of complex environments across sessions, between team members or in CI/CD. However, until LocalStack for AWS 4.11, EKS (Elastic Kubernetes Service) persistence was limited as it did not persist the contents of the cluster.

LocalStack for AWS 4.11 has added the ability to persist the state and contents of your emulated EKS clusters between restarts, enabling faster iteration and more realistic local testing of Kubernetes workloads.

By default, cluster contents are not persisted. You can enable saving/loading your Kubernetes resources by starting LocalStack with EKS_PERSIST_CLUSTER_CONTENTS=1. The persistence capability uses Velero under the hood, and we've also exposed EKS_VELERO_IMAGE and EKS_VELERO_PLUGIN_AWS_IMAGE to allow further customization of the Velero image and the AWS plugin image.

Miscellaneous

• Fixed an issue where the public IP address of EC2 instances started in K8S environment would not resolve to the instances pod.
• Fixed the Kafka cluster version in the MSK ListClusters and DescribeCluster APIs.
• Fixed an issue where the pod would not be removed when deleting the cluster or stopping LocalStack when running Redis/Valkey container in K8s environment.
• Fixed an issue reported that caused a GraphQL schema error in AppSync when defining AWSDateTime or AWSTimestamp scalars.

Deprecations

• Starting LocalStack in host mode via the CLI using localstack start --host has been deprecated and is expected to be removed in January 2026. Users of this features are advised to use the default Docker mode instead.

What's Changed

Exciting New Features 🎉

• Lambda: Support python3.14 and java25 runtimes by @dfangl in #13348
• Update deprecated type annotations produced by AWS scaffold tool by @purcell in #13347
• Sns:v2 platform endpoint operations by @baermat in #13327
• Add support for recipient for KMS Decrypt by @mboorstin-circle in #13343
• deprecate starting in host mode via the CLI by @alexrashed in #13398
• KMS: On Demand Key Rotation for Imported Key Material by @aidehn in #13363
• Step Functions: fix validate-state-machine-definition by @YukiMichishita in #13281
• refactor the global analytics bus to use a generic async batching util by @thrau in #13279
• Sns:v2 publish by @baermat in #13399

Other Changes

• K8s tests: Add requires_in_process marker in only_localstack tests where needed by @nik-localstack in #13303
• Add marker for skipping k8s tests by @nik-localstack in #13324
• IAM: refactor simulation into simulator class by @pinzon in #13326
• Change one of the test domains for the DNS tests by @dfangl in #13333
• Update localstack.dev.kubernetes script to expose DNS port by @nik-localstack in #13320
• Propose fix two typos by @jeis4wpi in #13341
• OpenSearch: Disable SSL validation for unsupported regions by @dfangl in #13346
• services/logs: Add ListLogGroups operation by @purcell in #13337
• IaC: Load the AWS catalog from the platform or cached file by @k-a-il in #13179
• UNC-99 apigateway accept-encoding header wrong by @cloutierMat in #13350
• Move steps for updating ASF modules to Makefile by @purcell in #13354
• Remove redundant ruff ignores for generated ASF modules by @purcell in #13355
• update kinesis-mock from 0.4.13 to 0.4.14 by @alexrashed in #13360
• Explicitly fix import order when regenerating A...

Summary

LocalStack 4.10 introduces S3 Tables with Apache Iceberg support and major EKS enhancements, including IRSA, Pod Identity, and automatic endpoint injection. The release expands AWS parity across DynamoDB, EventBridge Pipes, ECS FireLens, SESv2, and IAM, while modernising the stack by dropping Python 3.9 and removing legacy providers.

AWS Features

• LocalStack now supports S3 Tables with full Apache Iceberg REST API support, enabling management of tabular data stored in S3. Refer to our documentation to learn more. (🌟 ultimate)

Enhancements

• Added support for Python 3.14 in the LocalStack CLI.
• Added support for the aws:RequestedRegion and aws:PrincipalArn condition variables in IAM.
• Added support for inline templating in SESv2 SendEmail and SendBulkEmail operations. (🌟 base)
• Implemented support for the DescribeContributorInsights API in DynamoDB, enabling retrieval of contributor insights details for tables.
• Added support for wildcards in EventBridge Pipes input transformations, enabling patterns like <$.body[*]> for improved template flexibility. (🌟 ultimate)
• Added validation for EventBridge Pipes input templates, ensuring malformed or empty templates are handled consistently with AWS behavior. (🌟 ultimate)
• Enabled ECS FireLens support for custom configurations, allowing Fluent Bit config files to be loaded from S3 or bundled directly into container images. (🌟 ultimate)
• Added support for the DynamoDB WarmThroughput parameters, improving parity with AWS.
• LocalStack’s EKS provider now includes the following enhancements: (🌟 ultimate)
  • Added support for IAM Roles for Service Accounts (IRSA), allowing EKS pods to automatically assume IAM roles and retrieve AWS credentials through the standard SDK credential chain.
  • Added support for EKS Pod Identity, including the CreatePodIdentityAssociation API and a mock implementation of the EKS Auth service, improving compatibility with the latest AWS authentication model.
  • Introduced automatic injection of endpoint URLs (AWS_ENDPOINT_URL and AWS_ENDPOINT_URL_S3) into EKS pods via the existing credential webhook, ensuring SDKs connect directly to LocalStack without manual configuration.
  • Improved EKS cluster access management to fully respect the bootstrapClusterCreatorAdminPermissions flag and automatically create default access entries for the EKS service role.

Deprecations

• Dropped Python 3.9 support, raising the minimum supported version to 3.10.
• Removed the legacy Batch provider, following the newer provider, which is now the default. (🌟 ultimate)
• Removed support for Kinesis Data Analytics for SQL Applications service, ahead of AWS's sunset date of 2026-01-27.
• Removed support for Managed Service for Apache Flink (MSF) 'legacy' provider. Users should migrate to the new emulated provider, which has been the default since v4.1.0. (🌟 ultimate)

What's Changed

Exciting New Features 🎉

• DynamoDB: Implement DescribeContributorInsights by @aleslash in #13220
• Sns/v2 topic migration by @baermat in #13205
• Correct casing for x-amzn-RequestId header by @dfangl in #13230
• drop python 3.9 and add tests for 3.14 in the cli by @alexrashed in #13247
• Sns/v2 apply subscribe changes by @baermat in #13226
• Sns/v2 sms attribute operations by @baermat in #13255
• SNS: V2 tagging by @baermat in #13254
• chore(lambda/rie): Update RIE to v1.36.0-pre by @gregfurman in #13298
• Add option to allow ':' in ARNs by @baermat in #13296
• feat(utils/sync): Add sync.Once utility functions by @gregfurman in #13284
• Sns:v2 platform application crud by @baermat in #13312

Other Changes

• dependabot: update labels and cleanup config by @alexrashed in #13225
• IaC: Update CatalogPlugin class and common catalog plugins logic by @k-a-il in #13184
• Skip test test_cfn_apigateway_swagger_import when running in K8s by @nik-localstack in #13229
• Opensearch: Ignore SSL validation for ES plugin test by @nik-localstack in #13234
• CFn: fix number parameter types by @simonrw in #13231
• CFn: correctly skip conditionally disabled resources by @simonrw in #13238
• [Testing] Update test durations by @localstack-bot in #13221
• SNS: Fix multi-region test by @baermat in #13240
• APIGW: fix Integration connectionId not being returned by @bentsku in #13233
• CFN: add support for passing objects in GetAtt by @pinzon in #13206
• CFn: handle get_template_summary of failed stack deploy by @simonrw in #13239
• CFn: handle invalid GetAtt validation by @simonrw in #13241
• Fix Event Bridge input transformation of booleans by @carole-lavillonniere in #13236
• Fix visibility check in _pre_delete_checks to use is_visible attribute by @xhoantran in #13223
• Updating the test duration workflow by @ArthurAkh in #13170
• Integrate Moto exception translation into handler chain by @viren-nadkarni in #13153
• CFN: add more validations to intrinsic FnEquals by @pinzon in #13217
• Allow storing test metrics in local filesystem of LocalStack container by @nik-localstack in #13188
• DynamoDB: Add support for WarmThroughput parameters by @viren-nadkarni in #13235
• CFN: add validation to FnSplit by @pinzon in #13244
• CFN: Fix duplicated stack issue by @pinzon in #13249
• DDB: regenerate snapshots for WarmThroughput by @bentsku in #13257
• fix ASF update linting removing unused import across the codebase by @bentsku in #13263
• Upgrade moto by @bentsku in #13262
• S3: fix aws-global validation in CreateBucket by @bentsku in #13250
• DynamoDB: fix snapshot skip for MA/MR global table by @bentsku in #13270
• Logs: harden dict view iterations by @nik-localstack in #13272
• Events: fix anything-but with null values by @bentsku in #13268
• fix linting by @baermat in #13274
• Add dependency linting and clean up by @silv-io in #13193
• Simplify new_tmp_dir by @giograno in #13273
• S3: clean up leftover legacy code by @bentsku in #13271
• CFN: Validate resource last status in describe_stack_resource by @pinzon in #13269
• Utils: add strict mode to load_file by @simonrw in #13265
• APIGW: expand coverage for API Keys and Usage Plans by @ArthurAkh in #13201
• CI:Fix enforce labels workflow by @k-a-il in #13277
• Update CODEOWNERS by @localstack-bot in #13253
• Remove verify_ssl = False from in memory localstack test configuration by @nik-localstack in #13275
• fix json.assign_to_path with non nested path by @cloutierMat in #13245
• Install build package when running make build by @nik-localstack in #13285
• CIFix...

What's Changed

• Update README for 4.9 by @remotesynth in #13216
• CFN: add validation in GetAtt for conditionally canceled resources by @pinzon in #13213

New Contributors

• @remotesynth made their first contribution in #13216

Full Changelog: v4.9.0...v4.9.1

Summary

This release focuses on reinforcing the underlying foundations of the project while enhancing both performance and security that improve alignment with AWS support while ensuring our software has the safety and reliability our users expect.

This release includes updates to several resources that underpin LocalStack for AWS services, including DynamoDB Local, Hadoop, Apache Spark, Glue, k3d, Postgres, Apache ActiveMQ, Python, and Debian Trixie. We’ve also added support for new versions of OpenSearch, new merge strategies for Cloud Pods, CRUD support for EKS access entries, and multi-protocol support for CloudWatch’s additional protocols.

AWS Features

• LocalStack for AWS 4.9 adds support for new versions of OpenSearch and updates the default version to align with AWS support. The new supported versions for OpenSearch are 2.15, 2.17, 2.19 and 3.1. The new default version for OpenSearch domains (if no version is set) is now 3.1.
• LocalStack for AWS 4.9 adds CRUD support of EKS access entries and access policies. The new supported APIs include:
  • AssociateAccessPolicy
  • CreateAccessEntry
  • DeleteAccessEntry
  • DescribeAccessEntry
  • DisassociateAccessPolicy
  • ListAccessEntries
  • ListAccessPolicies
  • ListAssociatedAccessPolicies
  • UpdateAccessEntry
• The emulator is ready with multi-protocol support for the CloudWatch service in order to align with these upcoming changes to the CloudWatch service.

Enhancements

• Implement ListTags, TagResource and UntagResource API support for Backup Vaults and Backup Plans, which are the only resources we support that would support tagging.
• Remove unused Terraform package installer at localstack-core/localstack/packages/terraform.py. If you were using this package installer, please instead refer to our terraform-init extension.

Deprecations

• PostgreSQL 11 Support Removed: LocalStack for AWS 4.9 drops support for installing PostgreSQL 11. All services that previously used PostgreSQL 11 — including RDS, Redshift, and Timestream — now default to PostgreSQL 12. If you rely on PostgreSQL 11 in previous versions, ensure compatibility before upgrading.
• Debian Trixie / Python 3.13 Upgrade: Starting with LocalStack for AWS 4.9, the base image has been upgraded from Debian Bookworm / Python 3.11 to Debian Trixie / Python 3.13. This may impact custom extensions, init scripts, or packages that rely on specific OS packages or Python 3.11.
• Reinitialization Required for Existing Extensions: Due to the base image and Python upgrade, older volumes with installed extensions (using localstack extension init) may not be detected. Users will need to reinitialize and reinstall these extensions after upgrading.

What's Changed

Exciting New Features 🎉

Enhancements

• opensearch: add new versions by @alexrashed in #13134
• ASF: implement CBOR parser and serializer by @bentsku in #13103
• ASF: implement RPC V2 CBOR parser and serializer by @bentsku in #13125
• unpin moto-ext, upgrade to 5.1.12.post22 by @alexrashed in #13147
• upgrade to Python 3.13 and Debian Trixie by @dfangl in #13037
• remove terraform tests and package by @alexrashed in #13154
• ASF: implement multi-protocol support by @bentsku in #13151
• ASF/CloudWatch: add support for multi-protocols by @bentsku in #13161
• ASF: handle error serialization for Query-compatible services by @bentsku in #13172
• ASF: validate full CloudWatch suite with multi-protocol by @bentsku in #13173
• feat(kinesis): implement resource policies CRUD operations (#12488) by @dmacvicar in #12961
• add label to enforce running k8s test by @cloutierMat in #13168
• refactor sqs deveoper api into its own module by @thrau in #13202

Other Changes

• CFn: ecr repo uses request account and region by @simonrw in #13156
• IaC: Add AWS operations and CFN resources catalog by @k-a-il in #13027
• CFn: implement list change sets for new provider by @simonrw in #13149
• update old references to venv paths by @alexrashed in #13163
• CLA: Fix typo by @segogoreng in #13176
• Update CODEOWNERS by @localstack-bot in #13178
• ASF: fix exception serialization for smithy-rpc-v2-cbor and json protocol by @bentsku in #13180
• Add hot reload regression test cases for implicit behavior by @joe4dev in #13183
• Generate a dictionary of all publicly available AWS owned Cfn resources by @silv-io in #13150
• S3: fix DeleteObjectTagging on current object by @bentsku in #13174
• ASF: fix empty exception member serialization when required by @bentsku in #13186
• Fix DNS not supporting wildcard matching by @skyrpex in #13158
• switch to new labels workflow, add notes labels sync by @alexrashed in #13189
• CloudWatch: fix MA/MR for new snapshot test test_put_metric_alarm_escape_character by @bentsku in #13190
• CFn: handle resolving parameter names constructed in intrinsics by @simonrw in #13192
• CFn: correct stack ids by @simonrw in #13187
• CFN: fix for dynamic ref when value is a number by @pinzon in #13194
• SES: add snapshot test for describe_configuration_set with SNS destinations by @dmacvicar in #12814
• add sqs tests for ApproximateNumberOfMessagesNotVisible queue attribute by @thrau in #13197
• fix sqs dev endpoint to show invisible fifo messages correctly by @thrau in #13196
• update elasticsearch default version to 7.10.2 by @alexrashed in #13199
• fix pr-enforce-pr-labels workflow reference by @alexrashed in #13200
• APIGW: fix TestInvokeMethod 500 failures by @bentsku in #13207
• Upgrade dynamodb local to version 3.1 by @dfangl in #13210
• fix(kinesis): Add account and region context when using connect_to by @gregfurman in #13211
• CFn: fix CDK redeploy by @simonrw in #13191
• Cfn: Fix backslash processing for dynamic replacement values by @dfangl in #13212

New Contributors

• @segogoreng made their first contribution in #13176
• @skyrpex made their first contribution in #13158

Full Changelog: v4.8.1...v4.9.0

What's Changed

Other Changes

• CFn: Improve parameter value validation by @simonrw in #13124
• CFn: Protect against in review stacks for GetTemplateSummary by @simonrw in #13126
• CFn: correct disassociation of change sets from stacks by @simonrw in #13128
• CFn: fix modelling issue with AWS::NoValue by @simonrw in #13132
• CFn: better validation of select construct by @simonrw in #13136
• CFn: validate during get template by @simonrw in #13139
• CFn: tidy up legacy skip decorator by @simonrw in #13130
• CFn: fix invalid behaviour for nested intrinsic calls by @simonrw in #13146
• Add context manager for translating Moto exceptions by @viren-nadkarni in #13129
• Update version in README by @alexrashed in #13135

Full Changelog: v4.8.0...v4.8.1

Summary

LocalStack v4.8 brings one-click Lambda debugging with the AWS Toolkit for VS Code, a new CloudFormation engine, and an ECS-based Batch provider. The release also adds Kubernetes support for Redis, Route 53 → S3 website routing, and several enhancements to other AWS services like RDS Data, CloudFront, EKS, SQS, and CodeBuild, alongside major upgrades to the LocalStack Toolkit for VS Code.

AWS Features

• LocalStack integrates with the AWS Toolkit for VS Code, enabling one-click remote debugging of Lambda functions. You can set breakpoints, step through code, and inspect variables directly in your IDE. Debugger instrumentation is now automatic for Python, Node.js, and Java runtimes, eliminating the need for manual setup or boilerplate code. Check out our blog for more information.
• LocalStack introduces a new CloudFormation engine with improved parity for UPDATE operations and closer alignment with AWS. The legacy engine remains available (PROVIDER_OVERRIDE_CLOUDFORMATION=engine-legacy) for backwards compatibility, but all new features and fixes will target the new engine. Learn more in the documentation.
• LocalStack now ships with a new Batch provider built on top of the ECS runtime, replacing the previous custom implementation. Kubernetes execution is available via ECS_TASK_EXECUTOR=kubernetes. The legacy provider can still be used with PROVIDER_OVERRIDE_BATCH=legacy. Learn more in the documentation. (🌟 ultimate)

Enhancements

• LocalStack now supports running Redis in ElastiCache & MemoryDB as Kubernetes pods, providing consistent behaviour across local and cluster environments and removing the need for separate Docker-based execution. Enable it by setting REDIS_CONTAINER_MODE=1 and CONTAINER_RUNTIME=kubernetes. (🌟 enterprise)
• LocalStack now offers CRUD support for EKS Addons. The following API calls are now supported: (🌟 ultimate)
  • DescribeAddonVersions
  • DescribeAddonConfiguration
  • CreateAddon
  • DescribeAddon
  • ListAddons
  • UpdateAddon
  • DeleteAddon
• LocalStack now supports routing Route 53 domains to S3 static website endpoints, enabling custom domains to resolve directly to S3-hosted websites and improving parity with AWS. (🌟 base)
• LocalStack's RDS Data provider now includes the following enhancements: (🌟 base)
  • Added support for oid type in Postgres via the RDS Data API.
  • Added support for array types in Postgres via the RDS Data API, with fixes for array handling in Redshift Data.
  • Added support for returning numberOfRecordsUpdated in Postgres databases, improving parity with AWS responses.
• LocalStack's CloudFront provider now includes the following enhancements: (🌟 base)
  • Improved parity for header propagation in Lambda@Edge.
  • Improved parity by propagating status code changes for request event types (viewer-request, origin-request) in Lambda@Edge.
  • Proper handling of 3XX redirects for request events, ensuring responses like 302 are correctly propagated in Lambda@Edge.
  • CustomOriginConfig.HTTPPort and CustomOriginConfig.HTTPSPort are now properly set, ensuring requests correctly use configured custom ports instead of defaulting to port 80/443, with fallbacks to LocalStack’s edge port (4566) when necessary.
• Enhanced Lambda hot-reload to return file:// URIs for code locations instead of arbitrary strings, making them easier to parse and understand.
• Support for custom SSM Documents with SendCommand is now available, including parameter substitution. Only the aws:runShellScript plugin is supported. (🌟 base)
• Implemented FIS action aws:ecs:stop-task, enabling fault injection experiments to stop running ECS tasks. (🌟 ultimate)
• Enabled API Gateway VPC endpoint routing, allowing API invocation via .vpce.execute-api URLs using the x-apigw-api-id header.
• SNS now supports passing MessageGroupId to non-FIFO topics, aligning with SQS Fair Queues behavior and ensuring the attribute is propagated correctly to SQS messages.
• Implemented SES SetIdentityHeadersInNotificationsEnabled API, enabling configuration of header inclusion in bounce, complaint, and delivery notifications.
• Added support for Lambda Function URLs with ResponseStream invoke mode, enabling streaming responses via the InvokeMode parameter.
• Added Java 24 support in the Trino installer, enabling upgrades from Trino 389 to 476 and improving module installation command generation. (🌟 ultimate)
• Increased SQS message and batch size limit to 1 MiB, matching the recent AWS update.
• Added support for EFS DeleteFileSystemPolicy operation. (🌟 ultimate)
• Added support in CodePipeline for the CODEBUILD_RESOLVED_SOURCE_VERSION environment variable, ensuring CodeBuild actions receive the correct commit ID or S3 version ID for the source. (🌟 ultimate)
• Added support for Iceberg table metadata format v2 and s3a:// filesystem support in Hive, improving compatibility with Iceberg tables created using the iceberg-go SDK. (🌟 ultimate)
• Added Kubernetes owner references to Glue pods, enabling proper cleanup of child containers when the LocalStack pod is terminated. (🌟 enterprise)
• Added support in CodeBuild for resolving environment variables from Secrets Manager and SSM Parameter Store using ARNs, in addition to names. (🌟 base)
• Added tagging support for the CodeConnections service, enabling resource tag operations. (🌟 base)
• Improved EKS CloudFormation support for AWS::EKS::FargateProfile with idempotency handling, improved parameter validation, and proper support for profiles created without subnets. (🌟 ultimate)
• Updated DNS handling to allow checkip.amazonaws.com to resolve upstream by default by adding it to DEFAULT_SKIP_PATTERNS.
• The Traefik ingress controller and k3d load balancer are no longer started automatically when creating an EKS cluster. Set EKS_START_K3D_LB_INGRESS=1 to restore the previous behavior. (🌟 ultimate)

LocalStack Features

• The LocalStack Toolkit for VS Code now features a guided setup wizard, status bar integra...

Summary

LocalStack 4.7 is now available! This release introduces native Organizations support for multi-account setups, Valkey engine support as a Redis alternative in ElastiCache/MemoryDB, AppSync Events API for real-time WebSocket subscriptions, and significant enhancements across CodeBuild, CloudTrail, EKS, and DynamoDB providers with improved AWS parity throughout.

AWS Features

• LocalStack now supports the Valkey engine as an alternative to Redis in ElastiCache (🌟 base) and MemoryDB (🌟 ultimate). To enable Valkey, you need to use the REDIS_CONTAINER_MODE=1 configuration variable while starting the LocalStack container.
• LocalStack now includes a native Organizations provider, replacing the legacy Moto-based implementation. This new provider introduces improved AWS parity and expands support for managing multi-account and multi-organization setups in a local environment. (🌟 ultimate)
• LocalStack now supports the AppSync Events API for real-time event subscriptions, featuring channel namespaces, API Key/IAM authentication, and Direct Lambda integration. It provides both domain-based and path-based endpoints for local development, as well as HTTP interfaces for backend event publishing. (🌟 ultimate)

Enhancements

• Kinesis provider has been upgraded to use kinesis-mock version 0.4.13.
• DynamoDB provider has been upgraded to use DynamoDB Local 3.0.0.
• Hive version 3.1.3 is now the default for Big Data services, such as EMR, Glue, and Athena. (🌟 ultimate)
• CodeBuild provider now includes the following enhancements: (🌟 base)
  • CodeBuild now assumes the configured IAM service role during builds, enabling use of AWS CLI commands without manual credential setup.
  • Additionally, CodeBuild automatically sets environment variables for region, and endpoint URL into the build container. The endpoint URL is configured to point to the LocalStack container, allowing jobs to access other emulated AWS services.
• CloudTrail provider now includes the following enhancements: (🌟 ultimate)
  • CloudTrail now delivers log delivery notifications to SNS after logs are written to S3.
  • CloudTrail events now contain the populated requestParameters and responseElements fields for most events.
• EKS provider now includes the following enhancements: (🌟 ultimate)
  • Support for k8s version 1.33 is now available. The default version also changed to 1.33
  • EKS Load Balancer Controller with target-mode set to ip is now supported.
  • Support for DescribeClusterVersions API for improved compatibility with IaC tooling.
• Support for the cognito-identity.amazonaws.com:sub IAM policy variable has been added. (🌟 base)
• Role ARN and session name parameters are now validated in STS operations.
• The UpdateKinesisStreamingDestination API is now supported in DynamoDB.
• Proper validation errors are now returned for malformed AVP policies instead of internal server errors. (🌟 ultimate)
• The GetTokensFromRefreshToken API is now supported in Cognito. (🌟 base)
• The RSA_AES_KEY_WRAP_SHA_256 algorithm is now supported in the KMS ImportKeyMaterial API.
• Route53 provider now correctly maps FQDNs with trailing dots for ELB routing.
• Proper error responses are now returned for Lambda functions with invalid S3 code locations.
• The DeploymentCanarySettings property is now supported for AWS::ApiGateway::Deployment resources.
• Multiple VPCs are now supported for AWS::Route53::HostedZone during initial creation.
• MySQL RDS containers now run as non-root by default, with support for configurable user and group IDs via RDS_CONTAINER_USER_GROUP_ID environment variable (default: 1000:1000). (🌟 base)
• Improved parity for EFS AccessPoint API with enhanced validation and error handling. (🌟 ultimate)
• The ipAddressType field is now supported in API Gateway REST & HTTP APIs, where the field can be set to ipv4 or dualstack, via the CreateRestApi, and CreateApi APIs.
• Updates to the AWS::SNS::Topic resource are now supported, including support for changes to DisplayName, TopicName, and Tags properties.
• DomainProcessingStatus is now returned and user-provided values are preserved when creating Elasticsearch domains via the CreateElasticsearchDomain API.
• The Name and OpenTableFormatInput parameters are now supported in the Glue CreateTable API, and TableInput is treated as optional in parity with AWS behaviour. (🌟 ultimate)
• Improved support for non-default account IDs in API Gateway v2, AppSync, CodePipeline, [Cognito](https://docs.localstack.cloud/aws/se...