IAM policies are yet another example of something that started as a "simple" declarative specification, then people realized it wasn't actually simple and started tacking on poorly thought out language constructs until it became a new awful embedded turing complete language.<p>Rather than make a new language, they should have made a WASM or eBPF API and just let people use the full power of whatever language they want.<p>> Cedar is written in Rust, which makes it run in milliseconds<p>This statement is so weird. Milliseconds isn't particularly fast, and does that mean it runs in that time span regardless of complexity?
I like the Datalog-based policy language used in Biscuits.<p><a href="https://www.biscuitsec.org/" rel="nofollow">https://www.biscuitsec.org/</a>
So, "like IAM but generalized to all cloud providers"?<p>My worry is that there will be statements that only make sense with one cloud provider -- like, you're running on Google Cloud, and you want to make some declaration that only makes sense in Google Cloud. But I guess Cedar wouldn't allow that?<p>It's like SQL libraries: the ones that are supposed to be database-agnostic usually have some escape hatch to say "I need to call this Postgres-specific function."