Cedar has a playground that supports much of what you're asking for or were you referring to IAM (AWS specific, and not model policies for your business).

https://www.cedarpolicy.com/en/playground

It seems more akin to the IAM policy simulator to me. You need to know the specific action and context to play with the policy.

In the real case I don't know what context the actions carry that I may use for filtering, I don't know the action names and I may not even know the full list of API calls the tool I use wants to make.

AWS knows (could record) all of the above for me.

> In the real case I don't know what context the actions carry that I may use for filtering

You do know all of this with Cedar as the service owner though. You know the attributes on the entities, you know the policies. Something is going over my head, because I don't think I understand the use case. Can you give a concrete example?

Probably we're looking at the problem from a different point of view.

Imagine I'm a new AWS customer that creates their account, starts an Elastic Beanstalk application and tries to automate deployment via CI. The access key will need some permissions to EB, EC2, S3, maybe RDS, ECR... The best thing I can do at the moment is to expect that an example policy is somewhere in the docs.

Yeah, what you are looking for is something like a "learning mode" for an IAM account where the key actually has wide-open permissions and the system records which permissions are used and generates a policy locked down to what you did while it was in "learning mode" then you can edit that policy and then turn the account into "locked mode" where permissions are limited to the created policy.

I've been in that position and more often than not I end up doing the "wrong" thing and give a key wider permissions than needed because trying to lock it down is so frustrating (especially if your CI process is long/expensive). Having to wait 5+ minutes for a CI to reach to the end and realized you missed 1 permissions, rinse and repeat 10+ times for "just one more permission" is frustrating/time consuming.

EDIT: Just saw this further down in the thread https://github.com/iann0036/iamlive (which you already replied to) which looks like it does pretty much what I'm looking for.