Rule Changes for Creating Cloud Disk Using Shared Encrypted Images (ECS / Auto Scaling / ACK)
Affected Time
Starting from July 1st, 2025, the OpenAPI rules for creating cloud disks using shared encrypted images will be changed. After the change, when the image sharee specifies the shared encrypted image to call the relevant interface and creates a cloud disk based on the encrypted snapshot, the request parameter Encrypted=true must be specified for the cloud disk to ensure that the created cloud disk uses the image sharee's own key.
Reason for the change
This change is to avoid the problem that the shared encrypted image cannot be used normally by the image sharee when the original key of the sharer is disabled/deleted, or the key usage permission granted to the image sharee expires.
Details of the Change
The OpenAPI interfaces involved in the change include:
Elastic Compute Service ECS interface:
Auto Scaling interface:
Container Service for Kubernetes ACK interface:
● Rules before change: When calling any of the above interfaces and specifying the ImageId with a shared encrypted image, if the system disk snapshot or a data disk snapshot in the shared encrypted image is encrypted, and the value of the request parameter Encrypted of the corresponding cloud disk is not specified, the created cloud disk will use the key of the shared encrypted image itself (that is, the key of the image sharer).
● Rules after change: When calling any of the above interfaces and specifying the ImageId with a shared encrypted image, if the system disk snapshot or a data disk snapshot in the shared encrypted image is encrypted, the user must set the Encrypted parameter value of the corresponding cloud disk to true to call it correctly and the created cloud disk will be encrypted by the image sharee's own key. If the Encrypted parameter value is not specified for the cloud disk, the interface call will report an error.
What users need to do
- Code or template modification: If you call the above interface in the code or template (such as Elastic Compute Service ECS launch template, Auto Scaling launch template, Resource Orchestration Service ROS template and CloudOps Orchestration Service OOS template), and specify a shared encrypted image in the request parameters, please make sure that the request parameter Encrypted of the cloud disk to be encrypted is specified as true in the code or template;
- Behavior optimization:For the image sharee:
- Create a new cloud disk: When calling the above interface using a shared encrypted image, make sure to specify Encrypted=true for the cloud disk to be encrypted so that the interface call will success and the encrypted cloud disk will use your own key instead of using the original key of the shared encrypted image.
- Existing cloud disks: For users who have created an existing cloud disk using a shared encrypted image without specifying the Encrypted value, please use this instance to create a custom image, and then specify Encrypted = true for the cloud disk when using the new image to create a cloud disk (or replace the system disk). It is not recommended to continue using the original cloud disk to avoid the impact of key expiration.
- For the image sharer: If the shared image is an encrypted image, the encrypted image needs to be encrypted by a Customer Master Key (CMK), not Service Key.
- Behavior optimization:For the image sharee: