IAM name requirements IAM object quotas IAM Access Analyzer quotas IAM and STS character limits

IAM and AWS STS quotas, name requirements, and character limits

AWS Identity and Access Management (IAM) and AWS Security Token Service (STS) have quotas that limit the size of objects. This affects how you name an object, the number of objects you can create, and the number of characters you can use when you pass an object.

Note

To get account-level information about IAM usage and quotas, use the GetAccountSummary API operation or the get-account-summary AWS CLI command.

IAM name requirements

IAM names have the following requirements and restrictions:

Policy documents can contain only the following Unicode characters: horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.
Names of users, groups, roles, policies, instance profiles, and server certificates must be alphanumeric, including the following common characters: plus (+), equal (=), comma (,), period (.), at (@), underscore (_), and hyphen (-).
Names of users, groups, roles, and instance profiles must be unique within the account. They are not distinguished by case, for example, you cannot create groups named both ADMINS and admins.
The external ID value that a third party uses to assume a role must have a minimum of 2 characters and a maximum of 1,224 characters. The value must be alphanumeric without white space. It can also include the following symbols: plus (+), equal (=), comma (,), period (.), at (@), colon (:), forward slash (/), and hyphen (-). For more information about the external ID, see How to use an external ID when granting access to your AWS resources to a third party.
Path names must begin and end with a forward slash (/).
Policy names for inline policies must be unique to the user, group, or role they are embedded in. The names can contain any Basic Latin (ASCII) characters minus the following reserved characters: backward slash (\), forward slash (/), asterisk (*), question mark (?), and white space. These characters are reserved according to RFC 3986, section 2.2.
User passwords (login profiles) can contain any Basic Latin (ASCII) characters.
AWS account ID aliases must be unique across AWS products, and must be alphanumeric following DNS naming conventions. An alias must be lowercase, it must not start or end with a hyphen, it cannot contain two consecutive hyphens, and it cannot be a 12-digit number.

For a list of Basic Latin (ASCII) characters, go to the Library of Congress Basic Latin (ASCII) Code Table.

IAM object quotas

Quotas, also referred to as limits in AWS, are the maximum values for the resources, actions, and items in your AWS account. Use Service Quotas to manage your IAM quotas. You can request an increase to default quotas for adjustable IAM quotas. Requests up to the maximum quota are automatically approved and are completed within a few minutes.

To request a quota increase, sign in to the AWS Management Console and open the Service Quotas console at https://console.aws.amazon.com/servicequotas/. In the navigation pane, choose AWS services. On the navigation bar, choose the US East (N. Virginia) Region. Then search for IAM. Choose AWS Identity and Access Management (IAM), choose a quota, and follow the directions to request a quota increase. For more information, see Requesting a Quota Increase in the Service Quotas User Guide.

To see an example of how to request an IAM quota increase using the Service Quotas console, watch the following video.

The following quotas are adjustable.

Default quotas for IAM entities
Resource	Default quota	Maximum quota
Customer managed policies in an AWS account	1500	5000
Groups in an AWS account	300	500
Instance profiles in an AWS account	1000	5000
Managed policies attached to an IAM role	10	20
Managed policies attached to an IAM user	10	20
Role trust policy length	2048 characters	4096 characters
Roles in an AWS account	1000	5000
Server certificates stored in an AWS account	20	1000
Virtual MFA devices (assigned or unassigned) in an AWS account	Equal to the user quota for the account	Not applicable

You cannot request an increase for the following quotas.

Quotas for IAM entities
Resource	Quota
Access keys assigned to an IAM user	2
Access keys assigned to the AWS account root user	2
Aliases for an AWS account	1
Groups an IAM user can be a member of	10
IAM users in a group	Equal to the user quota for the account
Identity providers (IdPs) associated with an IAM SAML provider object	10
Keys per SAML provider	10
Login profiles for an IAM user	1
Managed policies attached to an IAM group	10
OpenId Connect identity providers per AWS account	100
Permissions boundaries for an IAM user	1
Permissions boundaries for an IAM role	1
MFA devices in use by an IAM user	8
MFA devices in use by the AWS account root user	8
Roles in an instance profile	1
SAML providers in an AWS account	100
Signing certificates assigned to an IAM user	2
SSH public keys assigned to an IAM user	5
Tags that can be attached to a customer managed policy	50
Tags that can be attached to a SAML identity provider	50
Tags that can be attached to a server certificate	50
Tags that can be attached to a virtual MFA device	50
Tags that can be attached to an instance profile	50
Tags that can be attached to an IAM role	50
Tags that can be attached to an IAM user	50
Tags that can be attached to an Open ID Connect (OIDC) identity provider	50
Users in an AWS account	5000 (If you need to add a large number of users, consider using temporary security credentials.)
Versions of a managed policy that can be stored	5

IAM Access Analyzer quotas

For IAM Access Analyzer quotas, see IAM Access Analyzer Quotas.

IAM and STS character limits

The following are the maximum character counts and size limits for IAM and AWS STS. You cannot request an increase for the following limits.

Description	Limit
Alias for an AWS account ID	3–63 characters
For inline policies	You can add as many inline policies as you want to an IAM user, role, or group. But the total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the following limits: User policy size cannot exceed 2,048 characters. Role policy size cannot exceed 10,240 characters. Group policy size cannot exceed 5,120 characters. Note IAM does not count white space when calculating the size of a policy against these limits.
For managed policies	The size of each managed policy cannot exceed 6,144 characters. Note IAM does not count white space when calculating the size of a policy against this limit.
Group name	128 characters
Instance profile name	128 characters
Password for a login profile	1–128 characters
Path	512 characters
Policy name	128 characters
Role name	64 characters Important If you intend to use a role with the Switch Role feature in the AWS Management Console, then the combined `Path` and `RoleName` cannot exceed 64 characters.
Role session duration	12 hours When you assume a role from the AWS CLI or API, you can use the `duration-seconds` CLI parameter or the `DurationSeconds` API parameter to request a longer role session. You can specify a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which can range 1–12 hours. If you don't specify a value for the `DurationSeconds` parameter, your security credentials are valid for one hour. IAM users who switch roles in the console are granted the maximum session duration, or the remaining time in the user's session, whichever is less. The maximum session duration setting does not limit sessions assumed by AWS services. To learn how to view the maximum value for your role, see View the maximum session duration setting for a role.
Role session name	64 characters
Role session policies	The size of the passed JSON policy document and all passed managed policy ARN characters combined cannot exceed 2,048 characters. You can pass a maximum of 10 managed policy ARNs when you create a session. You can pass only one JSON policy document when you programmatically create a temporary session for a role or federated user. Additionally, an AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. The `PackedPolicySize` response element indicates by percentage how close the policies and tags for your request are to the upper size limit. We recommend that you pass session policies using the AWS CLI or AWS API. The AWS Management Console might add additional console session information to the packed policy.
Role session tags	Session tags must meet the tag key limit of 128 characters and the tag value limit of 256 characters. You can pass up to 50 session tags. An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. You can pass session tags using the AWS CLI or AWS API. The `PackedPolicySize` response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
SAML authentication response base64 encoded	100,000 characters This character limit applies to `assume-role-with-saml` CLI or `AssumeRoleWithSAML` API operation.
Tag key	128 characters This character limit applies to tags on IAM resources and session tags.
Tag value	256 characters This character limit applies to tags on IAM resources and session tags. Tag values can be empty which means tag values can have a length of 0 characters.
Unique IDs created by IAM	128 characters. For example: User IDs that begin with `AIDA` Group IDs that begin with `AGPA` Role IDs that begin with `AROA` Managed policy IDs that begin with `ANPA` Server certificate IDs that begin with `ASCA` Note This is not intended to be an exhaustive list, nor is it a guarantee that IDs of a certain type begin only with the specified letter combination.
User name	64 characters

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM identifiers

Services that work with IAM