Cedar: A New Policy Language

IAM policies are yet another example of something that started as a &quot;simple&quot; declarative specification, then people realized it wasn&#x27;t actually simple and started tacking on poorly thought out language constructs until it became a new awful embedded turing complete language.<p>Rather than make a new language, they should have made a WASM or eBPF API and just let people use the full power of whatever language they want.<p>&gt; Cedar is written in Rust, which makes it run in milliseconds<p>This statement is so weird. Milliseconds isn&#x27;t particularly fast, and does that mean it runs in that time span regardless of complexity?

I like the Datalog-based policy language used in Biscuits.<p><a href="https:&#x2F;&#x2F;www.biscuitsec.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.biscuitsec.org&#x2F;</a>

So, &quot;like IAM but generalized to all cloud providers&quot;?<p>My worry is that there will be statements that only make sense with one cloud provider -- like, you&#x27;re running on Google Cloud, and you want to make some declaration that only makes sense in Google Cloud. But I guess Cedar wouldn&#x27;t allow that?<p>It&#x27;s like SQL libraries: the ones that are supposed to be database-agnostic usually have some escape hatch to say &quot;I need to call this Postgres-specific function.&quot;