Lists RAM quotas and how to request a quota increase.
|
Category |
Quota |
Limit |
Adjustable |
|
RAM user |
RAM users per Alibaba Cloud account |
5000 |
No |
|
Characters in a RAM user name |
64 |
No |
|
|
Groups per RAM user |
10 |
No |
|
|
AccessKey pairs per RAM user |
2 |
No |
|
|
MFA devices per RAM user |
1 |
No |
|
|
System policies per RAM user |
20 |
Yes (Apply for a quota) |
|
|
Custom policies per RAM user |
10 |
Yes (Apply for a quota) |
|
|
Tags per RAM user |
20 |
No |
|
|
RAM user group |
RAM user groups per Alibaba Cloud account |
300 |
No |
|
Characters in a RAM user group name |
64 |
No |
|
|
System policies per RAM user group |
20 |
Yes (Apply for a quota) |
|
|
Custom policies per RAM user group |
10 |
Yes (Apply for a quota) |
|
|
RAM role |
RAM roles per Alibaba Cloud account |
1000 |
Yes (Apply for a quota) |
|
Characters in a RAM role name |
64 |
No |
|
|
System policies per RAM role |
20 |
Yes (Apply for a quota) |
|
|
Custom policies per RAM role |
10 |
Yes (Apply for a quota) |
|
|
Default domain name |
Characters in a default domain name (including suffix) |
64 |
No |
|
Policy |
Characters in a policy name |
128 |
No |
|
MFA |
Virtual MFA devices or U2F security keys per Alibaba Cloud account |
5000 |
No |
|
RAM users per security phone number |
5 |
No |
|
|
RAM users per email address |
5 |
No |
|
|
Custom policy |
Custom policies per Alibaba Cloud account |
1500 |
Yes (Apply for a quota) |
|
Characters in a custom policy |
6144 |
No |
|
|
Versions per custom policy |
5 |
No |
|
|
Identity provider (IdP) |
SAML IdPs per Alibaba Cloud account |
100 |
No |
|
SAML IdP descriptors per metadata file |
1 |
No |
|
|
Certificates per IdP descriptor in a metadata file |
2 |
No |
|
|
OIDC IdPs per Alibaba Cloud account |
100 |
No |
|
|
Client IDs per OIDC IdP |
20 |
No |
|
|
Fingerprints per OIDC IdP |
5 |
No |
-
Policy attachment quotas for RAM users, RAM user groups, and RAM roles are independent of authorization scope. For example, the quota within a resource group equals the account-wide quota, and they are counted separately.
-
RAM roles prefixed with AliyunReservedSSO are provisioned by CloudSSO when an access configuration is deployed. The limits on the number of attachable custom and system policies for these roles are configured centrally in the CloudSSO console. Limitations of CloudSSO.