This topic describes the limits of Resource Access Management (RAM).
Category | Item | Upper limit |
RAM user | The number of RAM users that can be created within an Alibaba Cloud account | 5000 |
The number of characters that the name of a RAM user can contain | 64 | |
The maximum number of RAM user groups to which a RAM user can be added | 10 | |
The number of AccessKey pairs that a RAM user can create | 2 | |
The number of multi-factor authentication (MFA) devices that can be bound to a RAM user | 1 | |
The number of system policies that can be attached to a RAM user | 20 | |
The number of custom policies that can be attached to a RAM user | 10 | |
The number of tags that can be added to a RAM user | 20 | |
RAM user group | The number of RAM user groups that can be created within an Alibaba Cloud account | 300 |
The number of characters that the name of a RAM user group can contain | 64 | |
The number of system policies that can be attached to a RAM user group | 20 | |
The number of custom policies that can be attached to a RAM user group | 10 | |
RAM role | The number of RAM roles that can be created within an Alibaba Cloud account | 1000 |
The number of characters that the name of a RAM role can contain | 64 | |
The number of system policies that can be attached to a RAM role | 20 | |
The number of custom policies that can be attached to a RAM role | 10 | |
Default domain name. | The number of characters that can be contained in a default domain name (including the suffix). | 64 |
Policy | The number of characters that the name of a policy can contain | 128 |
Multi-factor authentication (MFA) | The number of virtual MFA devices or U2F security keys that can be created within an Alibaba Cloud account | 5000 |
Custom policy | The number of custom policies that can be created within an Alibaba Cloud account | 1500 |
The number of characters that a custom policy can contain | 6144 | |
The number of versions that a custom policy can have | 5 | |
Identity provider (IdP) | The number of Security Assertion Markup Language (SAML) IdPs that can be created within an Alibaba Cloud account | 100 |
The number of SAML IdP descriptors that an IdP metadata file can contain | 1 | |
The number of certificates that an IdP descriptor in an IdP metadata file can contain | 2 | |
The number of OpenID Connect (OIDC) IdPs that can be created within an Alibaba Cloud account | 100 | |
The number of client IDs that can be added to an OIDC IdP | 20 | |
The number of fingerprints that can be added to an OIDC IdP | 5 |
The number of policies that can be attached to a RAM user, RAM user group, or RAM role is not affected by authorization scope. In other words, you can apply the same number of policies whether you grant permissions on a single resource group or on your Alibaba Cloud account.
This topic lists only the default quotas for the items. The quotas of specific items are adjustable. To apply for a quota increase, go to the Quota Center page. You can configure quotas for a wide range of Alibaba Cloud services in Quota Center. For more information, see Services that work with Quota Center.