This topic describes Resource Access Management (RAM)-related quotas and how to request a quota increase.
Category | Quota | Upper limit | Adjustable |
RAM user | The number of RAM users that can be created within an Alibaba Cloud account | 5000 | No |
The number of characters that can be contained in a RAM user name | 64 | No | |
The maximum number of RAM user groups to which a RAM user can be added | 10 | No | |
The number of AccessKey pairs that a RAM user can create | 2 | No | |
The number of multi-factor authentication (MFA) devices that can be bound to a RAM user | 1 | No | |
The number of system policies that can be attached to a RAM user | 20 | Yes (Apply for a quota) | |
The number of custom policies that can be attached to a RAM user | 10 | Yes (Apply for a quota) | |
The number of tags that can be added to a RAM user | 20 | No | |
RAM user group | The number of RAM user groups that can be created within an Alibaba Cloud account | 300 | No |
The number of characters that can be contained in a RAM user group name | 64 | No | |
The number of system policies that can be attached to a RAM user group | 20 | Yes (Apply for a quota) | |
The number of custom policies that can be attached to a RAM user group | 10 | Yes (Apply for a quota) | |
RAM role | The number of RAM roles that can be created within an Alibaba Cloud account | 1000 | Yes (Apply for a quota) |
The number of characters that can be contained in a RAM role name | 64 | No | |
The number of system policies that can be attached to a RAM role | 20 | Yes (Apply for a quota) | |
The number of custom policies that can be attached to a RAM role | 10 | Yes (Apply for a quota) | |
Default domain name | The number of characters that can be contained in a default domain name (including the suffix) | 64 | No |
Policy | The number of characters that can be contained in a policy name | 128 | No |
MFA | The number of virtual MFA devices or U2F security keys that can be created within an Alibaba Cloud account | 5000 | No |
The number of RAM users that can be bound to an email address | 5 | No | |
Custom policy | The number of custom policies that can be created within an Alibaba Cloud account | 1500 | Yes (Apply for a quota) |
The number of characters that can be contained in a custom policy | 6144 | No | |
The number of versions that a custom policy can have | 5 | No | |
Identity provider (IdP) | The number of Security Assertion Markup Language (SAML) IdPs that can be created within an Alibaba Cloud account | 100 | No |
The number of SAML IdP descriptors that an IdP metadata file can contain | 1 | No | |
The number of certificates that an IdP descriptor in an IdP metadata file can contain | 2 | No | |
The number of OpenID Connect (OIDC) IdPs that can be created within an Alibaba Cloud account | 100 | No | |
The number of client IDs that can be added to an OIDC IdP | 20 | No | |
The number of fingerprints that can be added to an OIDC IdP | 5 | No |
The quotas for the number of policies that can be attached to a RAM user, RAM user group, or RAM role are independent of the authorization scope. For example, the quota for policies granted within a single resource group is the same as the quota for policies granted account-wide, and they do not share a limit.
RAM roles with names prefixed by AliyunReservedSSO are provisioned by CloudSSO when an access configuration is deployed. For these roles, the limits on the number of attachable custom and system policies are configured centrally in the CloudSSO console. For more information, see Limitations of CloudSSO.