LocalStack AuthZ

a lightweight security layer for LocalStack that blocks unauthorized requests. It extracts the AccessKeyId from each request and allows only whitelisted keys to pass through.

Architecture

graph LR
    User["User "] --> NGINX["NGINX"]
    NGINX -->|subreq: /_authz| AuthZ["AuthZ"]
    NGINX -->|forward traffic| LocalStack["LocalStack"]
    
    AuthZ -->|Allow / Deny| NGINX
    LocalStack --> NGINX

Usage

services:
  localstack: # u have to ensure that localstack is not reachable to the outside network.
    .
    .
    .
    networks:
      - lsnet

  authz:
    image: chxmxi/localstack-authz:latest
    container_name: authz
    depends_on: [localstack]
    environment:
      - ALLOWED_KEYS=dummyaccesskeys,AKIA2L03056B890WYAAZ,LKIAQAAAAAAAN7PNUWLO #add your AKs whitelist
      - AUTHZ_DEBUG=true #enable debug 
    networks: [lsnet]

  proxy:
    build:
      context: ../proxy
    container_name: proxy
    ports:
      - "80:80"
    depends_on:
      - localstack
      - authz
    networks: [lsnet]

networks:
  lsnet:
    driver: bridge
    external: false

Contribute

Feel free to open an issue or a PR if you have any ideas.

Name		Name	Last commit message	Last commit date
Latest commit History 24 Commits
.github/workflows		.github/workflows
example		example
proxy		proxy
src		src
.dockerignore		.dockerignore
.gitignore		.gitignore
.python-version		.python-version
Dockerfile		Dockerfile
Makefile		Makefile
README.md		README.md
main.py		main.py
pyproject.toml		pyproject.toml
uv.lock		uv.lock

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

LocalStack AuthZ

Architecture

Usage

Contribute

About

Uh oh!

Releases 1

Languages

chxmxii/localstack-authz

Folders and files

Latest commit

History

Repository files navigation

LocalStack AuthZ

Architecture

Usage

Contribute

About

Topics

Resources

Uh oh!

Stars

Watchers

Forks

Releases 1

Languages