Quotas and limits

This page lists the quotas and limits that apply to Identity and Access Management (IAM). Both quotas and limits can restrict the number of requests that you can send or the number of resources that you can create. Limits can also restrict a resource's attributes, such as the length of the resource's identifier.

If a quota is too low to meet your needs, you can use the Google Cloud Console to request a quota increase for your project. If the Cloud Console does not allow you to request a change for a specific quota, contact Google Cloud support.

Limits cannot be changed.

Quotas

By default, the following IAM quotas apply to each Google Cloud project:

Default quotas
IAM API
Read requests (for example, getting a policy) 6,000 per minute
Write requests (for example, updating a policy) 600 per minute
Service Account Credentials API
Requests to generate credentials 60,000 per minute
Requests to sign a JSON Web Token (JWT) or blob 60,000 per minute
Service accounts
Number of service accounts 100

Limits

IAM enforces the following limits on resources:

Limits
Custom roles
Custom roles for an organization1 300
Custom roles for a project1 300
Title of a custom role 100 bytes
Description of a custom role 256 bytes
Total size of the title, description, and permission names for a custom role 64 KB
Policies and bindings
Google groups in all bindings within a policy2 250
All members (including Google groups) in all bindings within a policy2 1,500
Logic operators in a binding's condition expression 12
Role bindings in a policy that include the same role and the same member, but different condition expressions 20
Recommendations
Number of recommendations per day to add a custom role to an organization 15
Number of recommendations per day to add a custom role to a project 5
Number of custom roles in an organization that prevents recommendations to create new custom roles3 100
Number of custom roles in a project that prevents recommendations to create new custom roles4 25
Service accounts
Service account ID 30 bytes
Service account display name 100 bytes
Service account keys for a service account 10
Short-lived credentials
Access boundary rules in a Credential Access Boundary 10
Maximum lifetime of an access token

3,600 seconds (1 hour)

For OAuth 2.0 access tokens, you can extend the maximum lifetime to 12 hours (43,200 seconds). To do this, identify the service accounts that need an extended lifetime for tokens, then add these service accounts to an organization policy that includes the constraints/iam.allowServiceAccountCredentialLifetimeExtension list constraint.

1 If you create custom roles at the project level, those custom roles do not count towards the limit at the organization level.

2 IAM counts all appearances of each member in the policy's bindings. It does not deduplicate members that appear in more than one binding. For example, if the member user:alice@example.com appears in 50 bindings, then you could add another 1,450 members across all of the policy's bindings.

3 If your organization contains more than 100 custom roles, you will continue to receive recommendations from the IAM recommender. However, none of the recommendations will suggest that you create a new custom role.

4 If your project contains more than 25 custom roles, you will continue to receive recommendations from the IAM recommender. However, none of the recommendations for that project will suggest that you create a new custom role.