[Feature request] offline mode / local cache

[anchnk]

As of now (sam 0.4.0) some commands such as:

• sam local invoke

does require a network connection to be functionals. I am aware that this command fetch a new docker instances on each invocation and that behavior can be override with skip-pull-image. Furthermore it seems to also require AWS credentials. I was quite surprise by that behavior at first even though I do understand why things are designed that way.

However being able to work locally while being offline is a quite common use case (commuting to attend a conference for instance). It might also prevents some users who would want to try lambdas and local development before signing up to AWS.

This issue is quite generic as I don't have much context about the codebase and how it works with AWS IAM under the hood. The main idea is that it would be awesome to use aws-sam-cli offline when appropriate.

Considering the docker image for instance, if an offline flag is passed as an argument, sam could use the latest one that has been fetched. I don't know if something like this can be done for sam validate is doable without being safe in terms of security but the overall behind this issue is to capture the idea to be able to work offline.

[jfuss]

Adding more context to the above:

Yes, sam local invoke and sam local start-api (basically anything that will invoke a Local Lambda) require an internet connection to download the docker-lambda container. By default, the command(s) try and fetch the a new container, if available. This is the part that needs the network connection and can be overridden by the --skip-pull-image. We can probably be smarter here on when/how we check and fetch new containers. Something like this seems reasonable to me:

1. Try and fetch the new container
   1.1. If we can't and there is already a container downloaded, use that.
   1.2. If there is no container downloaded fail the command.

--skip-pull-image would then just go to step 1.1. This can easy the pain. Looks like we have something similar to this already in #451, but that issue only suggests to display to the customer to use --skip-pull-image if there is no network.

For the permissions part:

Permissions are used in two cases:

1. Your local lambda uses the AWS SDK to call other resources. By default, those calls go to the cloud.
2. sam validate needs Credentials to call IAM. This is a detail of the SAM Translator and is used to validate managed policies.

For the calling other resources in your local lambda: This is harder to solve. We would almost need all services locally, in order for this to work offline completely. We are working on solving lambda to lambda (#532 and #508) locally, more details on this soon. This should easy some pain but solving all seem unreasonable.

For validate command: We could create an --offline mode here (something I really want to do, as it gets me almost every time). We can provide a list of Managed Policies to validate, when we are in 'offline' mode. We will need to keep this list updated but this would only provide a best effort in an offline mode, I think is all that is needed.

[bradydowling]

Another thought here, you could also have a setting for the default behavior. Something like sam config --skip-pull-image=true.

[awsjeffg]

I'm closing this issue as sam local works as expected without a network connection, eg if all of the functionality is local within SAM cli, it will work. In the case of SAM validate and other cases where we make calls to AWS services, we do require a network connection. Please feel free to re-open if you have further comments.