This topic lists the Resource Access Management (RAM) quotas and describes how to request a quota increase.
Classification of Restrictions | Item | Maximum value | How to request an increase |
RAM user | Number of RAM users per Alibaba Cloud account | 5,000 | Not applicable |
Number of characters in a RAM user's name | 64 | Not applicable | |
Number of user groups a RAM user can join | 10 | Not applicable | |
Number of AccessKey pairs a RAM user can create | 2 | Not applicable | |
Number of multi-factor authentication (MFA) devices that can be attached to a RAM user | 1 | Not applicable | |
Number of system policies that can be attached to a RAM user | 20 | ||
Number of custom policies that can be attached to a RAM user | 10 | ||
Number of tags that can be attached to a RAM user | 20 | Not applicable | |
RAM user group | Number of RAM user groups per Alibaba Cloud account | 300 | Not applicable |
Number of characters in a RAM user group's name | 64 | Not applicable | |
Number of system policies that can be attached to a RAM user group | 20 | ||
Number of custom policies that can be attached to a RAM user group | 10 | ||
RAM role | Number of RAM roles per Alibaba Cloud account | 1,000 | |
Number of characters in a RAM role's name | 64 | Not applicable | |
Number of system policies that can be attached to a RAM role | 20 | ||
Number of custom policies that can be attached to a RAM role | 10 | ||
Default domain name | Number of characters in a default domain name (including the suffix) | 64 | Not applicable |
Access policy | Number of characters in an access policy's name | 128 | Not applicable |
Multi-factor authentication | Number of virtual MFA devices or U2F security keys per Alibaba Cloud account | 5,000 | Not applicable |
Number of RAM users that can be attached to a security email address | 5 | Not applicable | |
Custom policy | Number of custom policies per Alibaba Cloud account | 1,500 | |
Number of characters in a custom policy document | 6,144 | Not applicable | |
Number of versions for a custom policy | 5 | Not applicable | |
Identity provider | Number of SAML IdPs per Alibaba Cloud account | 100 | Not applicable |
Number of IdPs per SAML provider | 1 | Not applicable | |
Number of certificates per IdP descriptor in a SAML IdP metadata file | 2 | Not applicable | |
Number of OIDC IdPs per Alibaba Cloud account | 100 | Not applicable | |
Number of client IDs per OIDC IdP | 20 | Not applicable | |
Number of thumbprints per OIDC IdP | 5 | Not applicable |
The policy attachment quota for a RAM user, RAM user group, or RAM role is independent of the authorization scope. The policy quotas for permissions granted on a single resource group and on an entire Alibaba Cloud account are identical and calculated independently.
RAM roles whose names start with AliyunReservedSSO are used when you deploy an access configuration in CloudSSO. The quotas for custom and system policies that can be attached to these roles (access configurations) are configured in CloudSSO. For more information, see Limits.