What does HackerNews think of iamlive?

Yeah, what you are looking for is something like a "learning mode" for an IAM account where the key actually has wide-open permissions and the system records which permissions are used and generates a policy locked down to what you did while it was in "learning mode" then you can edit that policy and then turn the account into "locked mode" where permissions are limited to the created policy.

I've been in that position and more often than not I end up doing the "wrong" thing and give a key wider permissions than needed because trying to lock it down is so frustrating (especially if your CI process is long/expensive). Having to wait 5+ minutes for a CI to reach to the end and realized you missed 1 permissions, rinse and repeat 10+ times for "just one more permission" is frustrating/time consuming.

EDIT: Just saw this further down in the thread https://github.com/iann0036/iamlive (which you already replied to) which looks like it does pretty much what I'm looking for.

IAM isn’t fun, but there’s lots of options.

https://pypi.org/project/access-undenied-aws/ will allow you to start with least privilege and fix specific issues.

https://github.com/iann0036/iamlive allows an admin to perform the action via CLI and capture the policy.

Access advisor can inspect how you actually use the role and give suggestions on what to remove.

A more helpful suggestion is to experiment with these tools and then find gaps in IAM actions and submit those as feature requests via your TAM.