For me personally, it would be much more useful if I could play with the policies interactively - issue requests with some tagging (a special access key maybe?) and see what permissions they need, what context they have and which of them are allowed/denied by the policies. And what if I edit this part, would it affect the recorded requests?

At the moment, it usually takes me several iterations to tune the policy.

You can simulate a policy with AWS IAM Policy Simulator

This doesn't cut it. That tool helps if your role/user has a lot of policies that might interact between each other. But you already need to know the exact "actions" and context.

On the other hand, I have a tool that calls some AWS services that may in turn call other AWS services. Now if something fails because of IAM denial, I have to go through the logs to figure out what it needed, sometimes it's not even in the logs (S3). Then add it to the policy and repeat to see the next failed call.

I imagine being able to call real API calls, make them succeed and record what permissions it needed for each of those API calls. I don't need that as a permanent log, just as a development tool.

All of the sdks support client side monitoring (CSM), so these sort of tools can be built client side. https://boto3.amazonaws.com/v1/documentation/api/1.10.46/gui...

afaics the only challenge is mapping some of the apis to iam as its only 85% 1:1

There's also tools for helping with iam like (generator, and linter)

https://github.com/salesforce/policy_sentry

https://github.com/duo-labs/parliament