Security

IAM

Protocol: Query (XML) — POST http://localhost:4566/ with Action= parameter IAM supports 65+ operations covering users, roles, groups, policies, instance profiles, access keys, and login profiles.

IAM operations (65+)

Users
CreateUser · GetUser · DeleteUser · ListUsers · UpdateUser · TagUser · UntagUser · ListUserTagsGroups
CreateGroup · GetGroup · DeleteGroup · ListGroups · AddUserToGroup · RemoveUserFromGroup · ListGroupsForUserRoles
CreateRole · GetRole · DeleteRole · ListRoles · UpdateRole · UpdateAssumeRolePolicy · TagRole · UntagRole · ListRoleTagsPolicies
CreatePolicy · GetPolicy · DeletePolicy · ListPolicies · CreatePolicyVersion · GetPolicyVersion · DeletePolicyVersion · ListPolicyVersions · SetDefaultPolicyVersion · TagPolicy · UntagPolicy · ListPolicyTagsPolicy Attachments
AttachUserPolicy · DetachUserPolicy · ListAttachedUserPolicies
AttachGroupPolicy · DetachGroupPolicy · ListAttachedGroupPolicies
AttachRolePolicy · DetachRolePolicy · ListAttachedRolePoliciesInline Policies
PutUserPolicy · GetUserPolicy · DeleteUserPolicy · ListUserPolicies
PutGroupPolicy · GetGroupPolicy · DeleteGroupPolicy · ListGroupPolicies
PutRolePolicy · GetRolePolicy · DeleteRolePolicy · ListRolePoliciesInstance Profiles
CreateInstanceProfile · GetInstanceProfile · DeleteInstanceProfile · ListInstanceProfiles · AddRoleToInstanceProfile · RemoveRoleFromInstanceProfile · ListInstanceProfilesForRoleAccess Keys
CreateAccessKey · GetAccessKeyLastUsed · ListAccessKeys · UpdateAccessKey · DeleteAccessKeyLogin Profiles
CreateLoginProfile · DeleteLoginProfile · UpdateLoginProfile

Examples

export AWS_ENDPOINT=http://localhost:4566

# Create a role
aws iam create-role \
  --role-name lambda-execution-role \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"Service": "lambda.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }]
  }' \
  --endpoint-url $AWS_ENDPOINT

# Attach a managed policy
aws iam attach-role-policy \
  --role-name lambda-execution-role \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole \
  --endpoint-url $AWS_ENDPOINT

# Create a user
aws iam create-user --user-name alice --endpoint-url $AWS_ENDPOINT

# Create an access key
aws iam create-access-key --user-name alice --endpoint-url $AWS_ENDPOINT

# List roles
aws iam list-roles --endpoint-url $AWS_ENDPOINT

STS

Protocol: Query (XML) — POST http://localhost:4566/ with Action= parameter STS supports all 7 operations including role assumption, web identity federation, SAML, and session tokens. GetCallerIdentity is commonly used as a connectivity smoke test.

STS operations (7)

Action	Description
`GetCallerIdentity`	Returns the account ID, user ID, and ARN
`AssumeRole`	Assume an IAM role, returns temporary credentials
`AssumeRoleWithWebIdentity`	Assume a role using a web identity token (OIDC)
`AssumeRoleWithSAML`	Assume a role using a SAML assertion
`GetSessionToken`	Get temporary credentials for an IAM user
`GetFederationToken`	Get temporary credentials for a federated user
`DecodeAuthorizationMessage`	Decode an encoded authorization failure message

Examples

export AWS_ENDPOINT=http://localhost:4566

# Get caller identity (always works, useful for smoke testing)
aws sts get-caller-identity --endpoint-url $AWS_ENDPOINT

# Assume a role
aws sts assume-role \
  --role-arn arn:aws:iam::000000000000:role/my-role \
  --role-session-name dev-session \
  --endpoint-url $AWS_ENDPOINT

# Get a session token
aws sts get-session-token --endpoint-url $AWS_ENDPOINT

Cognito

Protocol: JSON 1.1 (X-Amz-Target: AWSCognitoIdentityProviderService.*)
Endpoint: POST http://localhost:4566/ Floci serves pool-specific discovery and JWKS endpoints, plus a relaxed OAuth token endpoint, so local clients can mint and validate Cognito-like access tokens against RS256 signing keys.

JWT signature validation uses http://localhost:4566/{userPoolId} as the issuer. Tokens include the cognito:groups claim when the authenticated user belongs to groups. Floci’s validate-signatures setting defaults to false (SigV4 request signing is not enforced by default); configure your JWT validator to point at the Floci JWKS endpoint to validate token signatures.

Cognito operations (24+)

Category	Actions
User Pools	CreateUserPool, DescribeUserPool, ListUserPools, DeleteUserPool
User Pool Clients	CreateUserPoolClient, DescribeUserPoolClient, ListUserPoolClients, DeleteUserPoolClient
Resource Servers	CreateResourceServer, DescribeResourceServer, ListResourceServers, DeleteResourceServer
Admin User Management	AdminCreateUser, AdminGetUser, AdminDeleteUser, AdminSetUserPassword, AdminUpdateUserAttributes
User Operations	SignUp, ConfirmSignUp, GetUser, UpdateUserAttributes, ChangePassword, ForgotPassword, ConfirmForgotPassword
Authentication	InitiateAuth, AdminInitiateAuth, RespondToAuthChallenge
User Listing	ListUsers
Groups	CreateGroup, GetGroup, ListGroups, DeleteGroup, AdminAddUserToGroup, AdminRemoveUserFromGroup, AdminListGroupsForUser

Well-Known and OAuth Endpoints

Endpoint	Description
`GET /{userPoolId}/.well-known/openid-configuration`	OpenID discovery document
`GET /{userPoolId}/.well-known/jwks.json`	JSON Web Key Set for JWT validation
`POST /cognito-idp/oauth2/token`	OAuth token endpoint for `grant_type=client_credentials`

The OAuth token endpoint requires a confidential app client created with GenerateSecret=true, AllowedOAuthFlowsUserPoolClient=true, and AllowedOAuthFlows=["client_credentials"]. It returns access_token, token_type, and expires_in.

Examples

export AWS_ENDPOINT=http://localhost:4566

# Create a user pool
POOL_ID=$(aws cognito-idp create-user-pool \
  --pool-name MyApp \
  --query UserPool.Id --output text \
  --endpoint-url $AWS_ENDPOINT)

# Create an app client
CLIENT_ID=$(aws cognito-idp create-user-pool-client \
  --user-pool-id $POOL_ID \
  --client-name my-client \
  --generate-secret \
  --allowed-o-auth-flows-user-pool-client \
  --allowed-o-auth-flows client_credentials \
  --allowed-o-auth-scopes notes/read notes/write \
  --query UserPoolClient.ClientId --output text \
  --endpoint-url $AWS_ENDPOINT)

# Retrieve the generated client secret
CLIENT_SECRET=$(aws cognito-idp describe-user-pool-client \
  --user-pool-id $POOL_ID \
  --client-id $CLIENT_ID \
  --query UserPoolClient.ClientSecret --output text \
  --endpoint-url $AWS_ENDPOINT)

# Register a resource server and scopes
aws cognito-idp create-resource-server \
  --user-pool-id $POOL_ID \
  --identifier notes \
  --name "Notes API" \
  --scopes ScopeName=read,ScopeDescription="Read notes" ScopeName=write,ScopeDescription="Write notes" \
  --endpoint-url $AWS_ENDPOINT

# Create a user
aws cognito-idp admin-create-user \
  --user-pool-id $POOL_ID \
  --username [email protected] \
  --temporary-password Temp1234! \
  --endpoint-url $AWS_ENDPOINT

# Set a permanent password
aws cognito-idp admin-set-user-password \
  --user-pool-id $POOL_ID \
  --username [email protected] \
  --password Perm1234! \
  --permanent \
  --endpoint-url $AWS_ENDPOINT

# Authenticate
aws cognito-idp initiate-auth \
  --auth-flow USER_PASSWORD_AUTH \
  --client-id $CLIENT_ID \
  --auth-parameters [email protected],PASSWORD=Perm1234! \
  --endpoint-url $AWS_ENDPOINT

# Add user to group
aws cognito-idp admin-add-user-to-group \
  --user-pool-id $POOL_ID \
  --group-name admin \
  --username [email protected] \
  --endpoint-url $AWS_ENDPOINT

# Fetch the pool discovery document
curl -s "$AWS_ENDPOINT/$POOL_ID/.well-known/openid-configuration"

# Get a machine access token (client credentials)
curl -s \
  -X POST "$AWS_ENDPOINT/cognito-idp/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -u "$CLIENT_ID:$CLIENT_SECRET" \
  --data-urlencode "grant_type=client_credentials" \
  --data-urlencode "scope=notes/read notes/write"

KMS

Protocol: JSON 1.1 (X-Amz-Target: TrentService.*)
Endpoint: POST http://localhost:4566/ KMS supports symmetric and asymmetric keys, encrypt/decrypt, sign/verify, data key generation, envelope encryption, and aliases.

KMS operations (18)

Action	Description
`CreateKey`	Create a new KMS key
`DescribeKey`	Get key metadata
`ListKeys`	List all keys
`Encrypt`	Encrypt plaintext with a key
`Decrypt`	Decrypt ciphertext
`ReEncrypt`	Re-encrypt under a different key
`GenerateDataKey`	Generate a data key (plaintext + encrypted)
`GenerateDataKeyWithoutPlaintext`	Generate only the encrypted data key
`Sign`	Sign a message with an asymmetric key
`Verify`	Verify a signature
`CreateAlias`	Create a friendly name for a key
`DeleteAlias`	Remove an alias
`ListAliases`	List all aliases
`ScheduleKeyDeletion`	Mark a key for deletion
`CancelKeyDeletion`	Cancel pending deletion
`TagResource`	Tag a key
`UntagResource`	Remove tags
`ListResourceTags`	List tags

Examples

export AWS_ENDPOINT=http://localhost:4566

# Create a symmetric key
KEY_ID=$(aws kms create-key \
  --description "My encryption key" \
  --query KeyMetadata.KeyId --output text \
  --endpoint-url $AWS_ENDPOINT)

# Create an alias
aws kms create-alias \
  --alias-name alias/my-key \
  --target-key-id $KEY_ID \
  --endpoint-url $AWS_ENDPOINT

# Encrypt
CIPHER=$(aws kms encrypt \
  --key-id alias/my-key \
  --plaintext "Hello, World!" \
  --query CiphertextBlob --output text \
  --endpoint-url $AWS_ENDPOINT)

# Decrypt
aws kms decrypt \
  --ciphertext-blob $CIPHER \
  --query Plaintext --output text \
  --endpoint-url $AWS_ENDPOINT | base64 --decode

# Generate a data key (envelope encryption)
aws kms generate-data-key \
  --key-id alias/my-key \
  --key-spec AES_256 \
  --endpoint-url $AWS_ENDPOINT

ACM

Protocol: JSON 1.1 (X-Amz-Target: CertificateManager.*)
Endpoint: POST http://localhost:4566/ All requested certificates are immediately issued with status ISSUED — no DNS or email validation is required. Certificates are generated with real RSA/EC keys and valid X.509 structure. Supported key algorithms: RSA_2048, RSA_3072, RSA_4096, EC_prime256v1, EC_secp384r1, EC_secp521r1.

ACM operations (12)

Action	Description
`RequestCertificate`	Request a new certificate (auto-issued)
`DescribeCertificate`	Get certificate details and validation status
`GetCertificate`	Retrieve the certificate and chain in PEM format
`ListCertificates`	List all certificates with optional status filtering
`DeleteCertificate`	Delete a certificate
`AddTagsToCertificate`	Add tags to a certificate
`RemoveTagsFromCertificate`	Remove tags from a certificate
`ListTagsForCertificate`	List tags for a certificate
`ExportCertificate`	Export certificate with encrypted private key (PRIVATE type only)
`GetAccountConfiguration`	Get account-level ACM settings
`PutAccountConfiguration`	Update account-level ACM settings
`RenewCertificate`	Trigger certificate renewal

Examples

export AWS_ENDPOINT=http://localhost:4566

# Request a certificate
CERT_ARN=$(aws acm request-certificate \
  --domain-name "example.com" \
  --subject-alternative-names "www.example.com" "*.example.com" \
  --validation-method DNS \
  --query CertificateArn --output text \
  --endpoint-url $AWS_ENDPOINT)

# Describe the certificate
aws acm describe-certificate \
  --certificate-arn $CERT_ARN \
  --endpoint-url $AWS_ENDPOINT

# Get certificate in PEM format
aws acm get-certificate \
  --certificate-arn $CERT_ARN \
  --endpoint-url $AWS_ENDPOINT

# List only issued certificates
aws acm list-certificates \
  --certificate-statuses ISSUED \
  --endpoint-url $AWS_ENDPOINT

# Add tags
aws acm add-tags-to-certificate \
  --certificate-arn $CERT_ARN \
  --tags Key=Environment,Value=Production Key=Project,Value=Demo \
  --endpoint-url $AWS_ENDPOINT

# Request a private (exportable) certificate
PRIVATE_ARN=$(aws acm request-certificate \
  --domain-name "internal.example.com" \
  --certificate-authority-arn "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012" \
  --query CertificateArn --output text \
  --endpoint-url $AWS_ENDPOINT)

# Export private certificate (passphrase must be base64-encoded, min 4 chars)
PASSPHRASE=$(echo -n "mypassphrase123" | base64)
aws acm export-certificate \
  --certificate-arn $PRIVATE_ARN \
  --passphrase $PASSPHRASE \
  --endpoint-url $AWS_ENDPOINT

# Delete a certificate
aws acm delete-certificate \
  --certificate-arn $CERT_ARN \
  --endpoint-url $AWS_ENDPOINT

SDK Example

AcmClient acm = AcmClient.builder()
    .endpointOverride(URI.create("http://localhost:4566"))
    .region(Region.US_EAST_1)
    .credentialsProvider(StaticCredentialsProvider.create(
        AwsBasicCredentials.create("test", "test")))
    .build();

// Request a certificate
RequestCertificateResponse response = acm.requestCertificate(req -> req
    .domainName("example.com")
    .subjectAlternativeNames("www.example.com", "*.example.com")
    .validationMethod(ValidationMethod.DNS));

String certArn = response.certificateArn();

// Describe the certificate
DescribeCertificateResponse desc = acm.describeCertificate(req -> req
    .certificateArn(certArn));

System.out.println("Status: " + desc.certificate().status());

Get Started

Configuration

Services

Contributing

IAM

Examples

STS

Examples

Cognito

Well-Known and OAuth Endpoints

Examples

KMS

Examples

ACM

Examples

SDK Example

Build docs developers (and LLMs) love

Get Started

Configuration

Services

Contributing

​IAM

​Examples

​STS

​Examples

​Cognito

​Well-Known and OAuth Endpoints

​Examples

​KMS

​Examples

​ACM

​Examples

​SDK Example

Build docs developers (and LLMs) love

IAM

Examples

STS

Examples

Cognito

Well-Known and OAuth Endpoints

Examples

KMS

Examples

ACM

Examples

SDK Example