IAM and Amazon STS quotas
Amazon Identity and Access Management (IAM) and Amazon Security Token Service (STS) have quotas that limit the size of objects. This affects how you name an object, the number of objects you can create, and the number of characters you can use when you pass an object.
Note
To get account-level information about IAM usage and quotas, use the GetAccountSummary API operation or the get-account-summary Amazon CLI command.
IAM name requirements
IAM names have the following requirements and restrictions:
-
Policy documents can contain only the following Unicode characters: horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.
-
Names of users, groups, roles, policies, instance profiles, server certificates, and paths must be alphanumeric, including the following common characters: plus (+), equals (=), comma (,), period (.), at (@), underscore (_), and hyphen (-). Path names must begin and end with a forward slash (/).
-
Names of users, groups, roles, and instance profiles must be unique within the account. They aren’t distinguished by case, for example, you can't create groups named both
ADMINS
andadmins
. -
The external ID value that a third party uses to assume a role must have a minimum of 2 characters and a maximum of 1,224 characters. The value must be alphanumeric without white space. It can also include the following symbols: plus (+), equal (=), comma (,), period (.), at (@), colon (:), forward slash (/), and hyphen (-). For more information about the external ID, see Access to Amazon Web Services accounts owned by third parties.
-
Policy names for inline policies must be unique to the user, group, or role they're embedded in. The names can contain any Basic Latin (ASCII) characters except for the following reserved characters: backward slash (\), forward slash (/), asterisk (*), question mark (?), and white space. These characters are reserved according to RFC 3986, section 2.2
. -
User passwords (login profiles) can contain any Basic Latin (ASCII) characters.
-
Amazon Web Services account ID aliases must be unique across Amazon products, and must be alphanumeric following DNS naming conventions. An alias must be lowercase, it must not start or end with a hyphen, it can't contain two consecutive hyphens, and it can't be a 12-digit number.
For a list of Basic Latin (ASCII) characters, go to the Library of Congress Basic Latin
(ASCII) Code Table
IAM object quotas
Quotas, also referred to as limits in Amazon, are the maximum values for the resources, actions, and items in your Amazon Web Services account. Use Service Quotas to manage your IAM quotas.
For the list of IAM service endpoints and service quotas, see Amazon Identity and Access Management endpoints and quotas in the Amazon Web Services General Reference.
To request a quota increase
-
Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to Amazon in the Amazon Sign-In User Guide to sign in to the Amazon Web Services Management Console.
-
Open the Service Quotas console.
-
In the navigation pane, choose Amazon services.
-
On the navigation bar, choose the US East (N. Virginia) Region. Then search for
IAM
. -
Choose Amazon Identity and Access Management (IAM), choose a quota, and follow the directions to request a quota increase.
For more information, see Requesting a Quota Increase in the Service Quotas User Guide.
You can request an increase to default quotas for adjustable IAM quotas. Requests up to the maximum quota are automatically approved and completed within a few minutes.
The following table lists the resources for which quota increases area can be automatically approved.
Resource | Default quota | Maximum quota |
---|---|---|
Customer managed policies per account | 1500 | 5000 |
Groups per account | 300 | 500 |
Instance profiles per account | 1000 | 5000 |
Managed policies per role | 10 | 20 |
Managed policies per user | 10 | 20 |
Managed policies per group | 10 | 10 |
Role trust policy length | 2048 characters | 4096 characters |
Roles per account | 1000 | 5000 |
Server certificates per account | 20 | 1000 |
IAM Access Analyzer quotas
For the list of IAM Access Analyzer service endpoints and service quotas, see IAM Access Analyzer endpoints and quotas in the Amazon Web Services General Reference.
IAM Roles Anywhere quotas
For the list of IAM Roles Anywhere service endpoints and service quotas, see Amazon Identity and Access Management Roles Anywhere endpoints and quotas in the Amazon Web Services General Reference.
STS request quotas
The Amazon STS service has a default request quota of 600 requests per second per account, per region. This quota is shared across the following STS requests that are made using Amazon credentials:
-
AssumeRole
-
DecodeAuthorizationMessage
-
GetAccessKeyInfo
-
GetCallerIdentity
-
GetFederationToken
-
GetSessionToken
For example, if an Amazon Web Services account makes 100 GetCallerIdentity requests per second and 100 AssumeRole calls per second in the same region, that account is consuming 200 of its available 600 STS requests per second for that region.
For cross-account AssumeRole requests, only the account making the AssumeRole request impacts the STS quota. The target account does not have any of it’s quota consumed.
Note
Requests to Amazon STS by Amazon service principals, such as those used to assume roles for use with an Amazon service, do not consume STS request per second quota in your accounts.
To request an increase to STS request quotas, please open a ticket with Amazon support.
IAM and STS character limits
The following are the maximum character counts and size limits for IAM and Amazon STS. You can't request an increase for the following limits.
Description | Limit |
---|---|
Alias for an Amazon Web Services account ID | 3–63 characters |
For inline policies | You can add as many inline policies as you want to an IAM user, role, or group.
But the total aggregate policy size (the sum size of all inline policies) per entity
can't exceed the following limits:
NoteIAM doesn't count white space when calculating the size of a policy against these limits. |
For managed policies |
NoteIAM doesn't count white space when calculating the size of a policy against this limit. |
Group name | 128 characters |
Instance profile name | 128 characters |
Password for a login profile | 1–128 characters |
Path | 512 characters |
Policy name | 128 characters |
Role name | 64 charactersImportantIf you intend to use a role with the Switch Role feature
in the Amazon Web Services Management Console, then the combined |
Role session duration |
12 hours When you assume a role from the Amazon CLI or API, you can use the
|
Role session name | 64 characters |
Role session policies |
|
Role session tags |
|
SAML authentication response base64 encoded | 100,000 characters This character limit applies to |
Tag key | 128 characters This character limit applies to tags on IAM resources and session tags. |
Tag value | 256 characters This character limit applies to tags on IAM resources and session tags. Tag values can be empty which means tag values can have a length of 0 characters. |
Unique IDs created by IAM |
128 characters. For example:
NoteThis isn't intended to be an exhaustive list, nor is it a guarantee that IDs of a certain type begin only with the specified letter combination. |
User name | 64 characters |