[orf]

I think IAM is really, really cool. I’ve always wondered: is IAM a service under the hood? Surely not - the volume of requests would be insane and the single point of failure pretty risky.

So is it a spec with some kind of shared data plane to retrieve policies? If so how would they be evaluated consistently across different languages? Producing a shared library that does this in all contexts/languages sounds improbable. But then the policies are clearly compiled to some kind of bytecode, so a common implementation would make sense. But then again it is something that would definitely benefit from centralisation.

[yandie]

ex-AWS here. IAM is definitely a service! It's super powerful underneath the hood.

However as a caller, you need multiple levels of caching underneath the hood (all built by IAM team). That's part of the reasons why you can't use IAM as an external service.

IAM is also eventual consistency - that's why if you modify the policy doc it takes seconds to reflect in your service calls :) (sometimes even minutes). IAM outages can and will take down multiple AWS services.

> If so how would they be evaluated consistently across different languages?

Internally everything is JVM AFAIK :). If you go out of the JVM world in AWS you'll have to deal with this problem yourself, which can be painful.

[orf]

Thanks! That’s super interesting. There’s something really cool about building something as flexible and (presumably) fast as IAM.

The caching layer must also be quite complex! But thanks for settling this for me.