Quotas and limits

This page lists the quotas and limits that apply to Cloud Identity and Access Management (Cloud IAM). Both quotas and limits can restrict the number of requests that you can send or the number of resources that you can create. Limits can also restrict a resource's attributes, such as the length of the resource's identifier.

If a quota is too low to meet your needs, you can use the Google Cloud Console to request a quota increase for your project. If the Cloud Console does not allow you to request a change for a specific quota, contact Google Cloud support.

Limits cannot be changed.

Quotas

By default, the following Cloud IAM quotas apply to each Google Cloud project:

Default quotas
Cloud IAM API
Read requests (for example, getting a policy) 6,000 per minute
Write requests (for example, updating a policy) 600 per minute
Service Account Credentials API
Requests to generate credentials 60,000 per minute
Requests to sign a JSON Web Token (JWT) or blob 60,000 per minute
Service accounts
Number of service accounts 100

Limits

Cloud IAM enforces the following limits on resources:

Limits
Custom roles
Custom roles for an organization1 300
Custom roles for a project1 300
Name of a custom role 100 bytes
Total size of the title, description, and permission names for a custom role 64 KB
Policies and bindings
Google groups in all bindings within a policy2 250
All members (including Google groups) in all bindings within a policy2 1,500
Logic operators in a binding's condition expression 12
Role bindings in a policy that include the same role and the same member, but different condition expressions 20
Recommendations
Number of recommendations per day to add a custom role to an organization 15
Number of recommendations per day to add a custom role to a project 5
Number of custom roles in an organization that prevents recommendations to create new custom roles3 100
Number of custom roles in a project that prevents recommendations to create new custom roles4 25
Service accounts
Service account ID 30 bytes
Service account display name 100 bytes
Service account keys for a service account 10
Short-lived credentials
Access boundary rules in a Credential Access Boundary 10
Lifetime of an access token 3,600 seconds (1 hour)

1 If you create custom roles at the project level, those custom roles do not count towards the limit at the organization level.

2 Cloud IAM counts all appearances of each member in the policy's bindings. It does not deduplicate members that appear in more than one binding. For example, if the member user:alice@example.com appears in 50 bindings, then you could add another 1450 members across all of the policy's bindings.

3 If your organization contains more than 100 custom roles, you will continue to receive recommendations from the Cloud IAM recommender. However, none of the recommendations will suggest that you create a new custom role.

4 If your project contains more than 25 custom roles, you will continue to receive recommendations from the Cloud IAM recommender. However, none of the recommendations for that project will suggest that you create a new custom role.