This topic describes the limits of Resource Access Management (RAM).

Category Item Upper limit
RAM user The number of RAM users that can be created within an Alibaba Cloud account 5,000
The number of characters that the name of a RAM user can contain 64
The number of RAM user groups that a RAM user can join 10
The number of AccessKey pairs that a RAM user can create 2
The number of multi-factor authentication (MFA) devices that can be enabled for a RAM user 1
The number of system policies that can be attached to a RAM user 20
The number of custom policies that can be attached to a RAM user 10
The number of tags that can be added to a RAM user 20
RAM user group The number of RAM user groups that can be created within an Alibaba Cloud account 300
The number of characters that the name of a RAM user group can contain 64
The number of system policies that can be attached to a RAM user group 20
The number of custom policies that can be attached to a RAM user group 10
RAM role The number of RAM roles that can be created within an Alibaba Cloud account 1,000
The number of characters that the name of a RAM role can contain 64
The number of system policies that can be attached to a RAM role 20
The number of custom policies that can be attached to a RAM role 10
Account alias The number of characters that an account alias can contain 64
Note An account alias must be 3 to 64 characters in length.
Policy The number of characters that the name of a policy can contain 128
MFA The number of MFA devices that can be created within an Alibaba Cloud account 1,000
Custom policy The number of custom policies that can be created within an Alibaba Cloud account 1,500
The number of characters that a custom policy can contain 6,144
The number of versions that a custom policy can have 5
Identity provider (IdP) The number of Security Assertion Markup Language (SAML) IdPs that can be created within an Alibaba Cloud account 100
The number of SAML IdP descriptors that an IdP metadata file can contain 1
The number of certificates that a SAML IdP descriptor in an IdP metadata file can contain 2
The number of OpenID Connect (OIDC) IdPs that can be created within an Alibaba Cloud account 100
The number of client IDs that can be added to an OIDC IdP 20
The number of fingerprints that can be added to an OIDC IdP 5
Note
  • The number of policies that can be attached to a RAM user, RAM user group, or RAM role is not affected by authorization scope. In other words, you can apply the same number of policies whether you grant permissions on a single resource group or on your Alibaba Cloud account.
  • This topic lists only the default quotas for the items. The quotas of specific items are adjustable. To apply for a quota increase, go to the Quota Center page. You can configure quotas for a wide range of Alibaba Cloud services in Quota Center. For more information, see Services that work with Quota Center.