[rembal]

+1 on the IAM over engineering, though to AWS credit, I suspect it was evolved rather than design, and that's what you get when evolution has to maintain some level of backward compatibility (think humans still having to be able to lay eggs). Another thing that happens occasionally for saas companies is AWS creating a copy of their product in a bit sus way - but it's not a technical problem, it's a business model problem.

[kikimora]

This is unfortunately unavoidable for any system like IAM. All of them evolve into monstrosity because of so many conflicting requirements. Most importantly being simple and tractable on one end and being able to express any imaginable predicate on another.

[viccis]

And god help you if you want to use one of their many competing data engineering tools, all of which will be duct taped onto Glue and require not just IAM but also another layer of RBAC on top of IAM. Like you said with IAM, I think it just slowly evolved into the mess it is today, but it's rough. Trying to just run a simple Spark query using an S3 Table Bucket was enough to remind me why Snowflake and Databricks are printing money by making it a more user friendly experience.