AWS API is designed to be NOT used
AWS -- Amazon Web Services -- have quite decent access control system.
Administrator can create system user and configure what API calls with what arguments that user can do. That specification about what calls are allowed and what denied is called policy. There is also API call, which requires administrator privileges, that modifies policy. So far, so good.
Except I lied to you. There is no API call to modify policy. Instead, there is API call to create new version of policy and set it as active. Catch is that there can be only 5 (five, hard-coded) versions of a given policy. So to actually modify policy without running into that limit, administrator have to issue three API calls instead:
- List existing policy versions
- Delete all non-default versions
- Create new version and set it as default
Why this versioning needed, if any reasonable developer would put that policy under version control and use API to push it to AWS? Probably because AWS users are not supposed be reasonable developers, they are supposed to do mindless clicking in shitty web interface (proudly called AWS Console) and believe this is the norm.
This is not the only example. Things that are natural, like replacing whole list of load balancer rules, but that are not possible with web interface, are invariably clumsy in API.
Is it invisible hand of free market, that if there are a lot of hopeless idiots around pretending to be programmers, somebody would start making money catering to them, or is it deliberate effort to sway those who are on then fence into pitiful mouse clicking?