This page lists the quotas and limits that apply to Identity and Access Management (IAM). Both quotas and limits can restrict the number of requests that you can send or the number of resources that you can create. Limits can also restrict a resource's attributes, such as the length of the resource's identifier.
If a quota is too low to meet your needs, you can use the Google Cloud Console to request a quota increase for your project. If the Cloud Console does not allow you to request a change for a specific quota, contact Google Cloud support.
Limits cannot be changed.
By default, the following IAM quotas apply to each Google Cloud project:
|Read requests (for example, getting a policy)||6,000 per minute|
|Write requests (for example, updating a policy)||600 per minute|
|Service Account Credentials API|
|Requests to generate credentials||60,000 per minute|
|Requests to sign a JSON Web Token (JWT) or blob||60,000 per minute|
|Number of service accounts||100|
IAM enforces the following limits on resources:
|Custom roles for an organization1||300|
|Custom roles for a project1||300|
|Title of a custom role||100 bytes|
|Description of a custom role||256 bytes|
|Total size of the title, description, and permission names for a custom role||64 KB|
|Policies and role bindings|
|Google groups in all role bindings within a single policy2||250|
|Total number of members (including Google groups) in all role bindings within a single policy2||1,500|
|Logic operators in a role binding's condition expression||12|
|Role bindings in a policy that include the same role and the same member, but different condition expressions||20|
|Number of recommendations per day to add a custom role to an organization||15|
|Number of recommendations per day to add a custom role to a project||5|
|Number of custom roles in an organization that prevents recommendations to create new custom roles3||100|
|Number of custom roles in a project that prevents recommendations to create new custom roles4||25|
|Service account ID||30 bytes|
|Service account display name||100 bytes|
|Service account keys for a service account||10|
|Access boundary rules in a Credential Access Boundary||10|
|Maximum lifetime of an access token||
3,600 seconds (1 hour)
For OAuth 2.0 access tokens, you can extend the maximum lifetime to
(43,200 seconds). To do this, identify the
service accounts that need an extended lifetime for tokens, then
these service accounts to an organization policy that includes
1 If you create custom roles at the project level, those custom roles do not count towards the limit at the organization level.
IAM counts all appearances of each member in the policy's bindings.
It does not deduplicate members that appear in more than one binding. For example, if the
user:email@example.com appears in 50 bindings, then
you could add another 1,450 members across all of the policy's bindings.
3 If your organization contains more than 100 custom roles, you will continue to receive recommendations from the IAM recommender. However, none of the recommendations will suggest that you create a new custom role.
4 If your project contains more than 25 custom roles, you will continue to receive recommendations from the IAM recommender. However, none of the recommendations for that project will suggest that you create a new custom role.