How do I share a custom image to deploy ECS instances across accounts in the same region? - Elastic Compute Service

You can use shared images to deploy Elastic Compute Service (ECS) instances across multiple Alibaba Cloud accounts in the same region. After you create a custom image, you can share the custom image with other Alibaba Cloud accounts or within your organization based on resource directories or folders. Then, the sharees can use the shared image to create identical ECS instances. This topic describes how to share an encrypted custom image and the items that you must take note of when you share the image.

Scenarios

Scenario 1: You want to share images in your Alibaba Cloud account with one or more Alibaba Cloud accounts.
Scenario 2: When you use Alibaba Cloud services, you use a resource directory to manage all Alibaba Cloud accounts of your organization. You want to share the images of a member in the resource directory with all members in the resource directory or with all members in a specific folder in the resource directory.
If you share images in Scenario 2, all accounts in the resource directory or folder have access to the shared images. Accounts that are subsequently added to the resource directory or folder also have access to the shared images. Accounts that are removed from the resource directory or folder lose access to the shared images. For more information, see Resource Sharing overview.
Note
Resource Directory is a service that you can use to manage relationships among a number of accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to form a hierarchy for the resources of your organization. For more information, see Resource Directory overview.
If you have shared a custom image based on resource directories, we recommend that you do not reshare the custom image in the manner described in Scenario 1. This prevents the inconsistency of image sharing data in resource directories.

Preparations

Before you share a custom image, make sure that all sensitive data and files are removed from the image.
When you share a custom image in different scenarios, take note of the following items:
- To share an image with other Alibaba Cloud accounts, you must obtain the IDs of the Alibaba Cloud accounts.
  To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account, the account ID is an Alibaba Cloud account ID.
- To share an image within your organization based on resource directories or folders, you must enable resource directories by using the management account or member accounts. For more information, see Enable a resource directory.
You can share images across accounts only within the same region. If you want to share an image across regions, copy the image to the destination region and then share the image copy. You can also share the image and then copy the image to the desired regions. For more information, see Copy a custom image.

Considerations

Before you share images, take note of the items described in the following tables.

Sharers

Item	Description
Sharing fee	You are not charged for sharing images.
Account permissions	You can share custom images that are created within your account. You cannot share custom images that are created and shared by other accounts. Each custom image can be shared with a limited number of users. In the Quota Center console, you can find Quota of users that can be shared per custom image on the General Quotas page for Elastic Compute Service to check the maximum number of users with whom each custom image can be shared. Note You can request an increase for this quota based on your business requirements in the ECS console. For more information, see View and increase resource quotas. If you want to share images with Alibaba Cloud accounts, you must use your Alibaba Cloud account to share the images. Alibaba Cloud accounts can grant permissions to their Resource Access Management (RAM) users by attaching policies. For example, if Alibaba Cloud Account A shares an image with Alibaba Cloud Account B and Alibaba Cloud Account B has RAM User B1, Account B must grant permissions on the shared image to B1 based on scenarios. Note Scenario 1: If B1 needs to view the shared image, B1 must be granted the permissions to call the DescribeImages operation. To grant the permissions to B1, Account B must attach a custom policy similar to the following one to B1: `{ "Version": "1", "Statement": [ { "Action": [ "ecs:DescribeImages", ], "Resource": "", "Effect": "Allow" } ] }` Scenario 2: If B1 needs to create ECS instances from the shared image, B1 must be granted the permissions to call the RunInstances or CreateInstance operation. To grant the permissions to B1, Account B must attach a custom policy similar to the following one to B1: `{ "Version": "1", "Statement": [ { "Action": [ "ecs:RunInstances", "ecs:CreateInstance" ], "Resource": "", "Effect": "Allow" } ] }` For more information, see the Create a custom policy on the JSON tab section of the "Create custom policies" topic. In specific cases, Alibaba Cloud accounts must perform fine-grained permission control on their RAM users by attaching custom policies. For example, an Alibaba Cloud account can grant its RAM users only the permissions to create ECS instances from a custom image that is shared by another Alibaba Cloud account, or the permissions to create ECS instances from custom images instead of public images or Alibaba Cloud Marketplace images. For more information, see Configure policies for shared images used to create ECS instances. Images cannot be shared between accounts on the China site and accounts on the International site.
Region	You can share images across accounts only within the same region and cannot share images across regions.

Sharees

Item

Description

Sharing fee

Images that are shared with an account are not included in the image quota of the account. The account is not charged for the shared images.
If a shared image is a paid image and the sharees use the shared image to create ECS instances, the sharees are charged for the image. For example, if you use a paid image that is shared by another Alibaba Cloud account to create an instance, you are charged for the shared image and the created instance.

For more information about image billing, see Images.

Limits

Sharees can use shared images only to create ECS instances. Sharees can copy the shared images to their accounts as custom images and then delete or update the custom images. For more information, see Use shared images.
When the resources that are used by a shared image or the source image are unavailable due to overdue payments or invalid keys, the shared image cannot be used to create ECS instances. In addition, ECS instances that were created from the shared image, and snapshots and images that were created based on the disks of the instances may be unavailable.
You cannot share ECS custom images with Simple Application Server. Custom images created from simple application servers can be shared for use on ECS instances. For more information, see Share a custom image.

Procedure

This section describes how to share an image with other Alibaba Cloud accounts or within your organization based on resource directories or folders. In this example, an unencrypted custom image is used.

Note

If you want to share an encrypted custom image, you must use RAM to obtain the required permissions. For more information, see Share an encrypted custom image.

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Images.
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Custom Images tab, find the custom image that you want to share and click Share Image in the Actions column.
In the Share Image dialog box, configure the parameters based on your actual requirements.
- Share the image with other Alibaba Cloud accounts
  1. Enter the IDs of the Alibaba Cloud accounts in the Shared Account ID field.
  2. Select After you share the image with accounts, the accounts can obtain the data of the image. To ensure data security, confirm that you want to share the image with the accounts.
  3. Click Confirm.
- Share the image within your organization based on resource directories or folders
  1. In the Sharee Type section, click Shared Organization.
    Note
    Only the management account or member accounts for which a resource directory is enabled can share resources within an organization. If Shared Organization is not displayed, you must enable a resource directory. For more information, see Enable a resource directory.
  2. Go to the Resource Management console to complete the sharing operation. For more information, see Create a resource share.
    Note
    In the Resources section of the Create Resource Share page, set the resource type to ECS Image.
After you share the image, find the image and move the pointer over the icon corresponding to the image to view the Alibaba Cloud accounts with which the image is shared.