Credentials
Simfra enforces SigV4 signing and IAM policy evaluation on every request, matching real AWS behavior. All requests must be signed with valid credentials.
Default Root Credentials
Simfra ships with a default root account:
| Setting | Default | Env Var |
|---|---|---|
| Access Key ID | AKIAIOSFODNN7EXAMPLE |
SIMFRA_ROOT_ACCESS_KEY_ID |
| Secret Access Key | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
SIMFRA_ROOT_SECRET_ACCESS_KEY |
| Account ID | 000000000000 |
SIMFRA_DEFAULT_ACCOUNT_ID |
The root account has full access to all services and operations. Override these via environment variables if needed.
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
SigV4 Signing
All requests must include a valid SigV4 signature. This is handled automatically by:
- AWS CLI
- AWS SDKs (Go, Python, JavaScript, Java, etc.)
- Terraform AWS provider
- Any tool that supports AWS authentication
Unsigned requests are rejected with 403 AccessDenied.
Creating IAM Users
For more realistic testing, create IAM users with their own credentials and policies:
# Create a user
aws iam create-user --user-name developer
# Create access keys
aws iam create-access-key --user-name developer
The output includes a new AccessKeyId and SecretAccessKey. Use these instead of the root credentials.
Attach policies
# Full admin access
aws iam attach-user-policy \
--user-name developer \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# Or scoped access
aws iam create-policy \
--policy-name S3ReadOnly \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:List*"],
"Resource": "*"
}]
}'
aws iam attach-user-policy \
--user-name developer \
--policy-arn arn:aws:iam::000000000000:policy/S3ReadOnly
IAM policies are enforced - the developer user can only perform actions allowed by its attached policies.
STS AssumeRole
Create roles and assume them for temporary credentials:
# Create a role
aws iam create-role \
--role-name deploy-role \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::000000000000:root"},
"Action": "sts:AssumeRole"
}]
}'
# Attach policies to the role
aws iam attach-role-policy \
--role-name deploy-role \
--policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# Assume the role
aws sts assume-role \
--role-arn arn:aws:iam::000000000000:role/deploy-role \
--role-session-name my-session
The response includes temporary AccessKeyId, SecretAccessKey, and SessionToken credentials. These expire after the specified duration (default 1 hour), just like real AWS.
IAM Policy Evaluation
Simfra implements the full IAM evaluation chain:
- Explicit deny - any deny in any policy takes precedence
- Service Control Policies - if the account is in an Organization
- Resource-based policies - policies on the target resource (S3 bucket policies, SQS queue policies, etc.)
- Permission boundaries - maximum permissions for the entity
- Identity-based policies - policies attached to the user/role
- Session policies - for assumed role sessions
This means you can test IAM configurations locally and get the same allow/deny decisions as real AWS.
Next Steps
- Quick Start - create your first resources
- Terraform Quick Start - provision infrastructure with Terraform