In scenarios where you want to share images with other accounts, such as sharing encrypted custom images, you can refer to this topic to configure specific policies to control permissions on different resources.

Scenarios

In this topic, Alibaba Cloud accounts A and B and RAM user B1 that belongs to B are used to show how to configure policies to control permissions on resources in the following scenarios:

Preparations

  • Obtain the account IDs of A and B.

    To obtain the ID of an Alibaba Cloud account, move the pointer over the profile picture in the upper-right corner of the Alibaba Cloud Management Console. If the account is identified as Main Account in the user information panel, the account ID is an Alibaba Cloud account ID.

  • Use B to grant B1 the permissions required to create ECS instances. The following example provides a sample policy that can be configured to grant permissions to B1:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:RunInstances",
                    "ecs:CreateInstance"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  • If you share an encrypted custom image, you must configure other policies. For more information, see Share an encrypted custom image.

Configure policies to grant permissions to B1 to use only the custom image shared by A to create an ECS instance

Grant permissions to B1

  1. Use B to create a custom policy.
    For more information, see Create a custom policy on the JSON tab.
    The following example shows a sample policy that can be configured. Replace the value of the ImageOwnerId parameter with the account ID of A.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "ecs:RunInstances",
            "ecs:CreateInstance"
          ],
          "Effect": "Deny",
          "Resource": "acs:ecs:cn-hangzhou:*:image/*",// Specify a region.
          "Condition": {
            "StringNotEquals": {
              "ecs:ImageOwnerId": "123456789012****" // Specify that B1 can use only custom images shared by A whose account ID is 123456789012**** to create ECS instances.
            }
          }
        }
      ]
    }
  2. Use B to attach the created policy to B1.
    For more information, see Grant permissions to a RAM user.

Verify the permissions of B1

Use B1 to create an ECS instance from a custom image.
  • Use a custom image shared by A to create an ECS instance.
  • Use a custom image shared by another Alibaba Cloud account such as C to create an ECS instance.

Configure policies to grant permissions to B1 to use only a custom image to create an ECS instance

Grant permissions to B1

  1. Use B to create a custom policy.
    For more information, see Create a custom policy on the JSON tab.
    The following example shows a sample policy that can be configured:
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:RunInstances",
                    "ecs:CreateInstance"
                ],
                "Effect": "Deny",
                "Resource": "acs:ecs:cn-hangzhou:*:instance/*",// Specify a region.
                "Condition": {
                    "StringNotEquals": {
                        "ecs:ImageSource": "Custom" // Specify that B1 can use only custom images to create ECS instances.
                    }
                }
            }
        ]
    }
  2. Use B to attach the created policy to B1.
    For more information, see Grant permissions to a RAM user.

Verify the permissions of B1

Use B1 to create an ECS instance from a custom image.
  • Use a shared custom image to create an ECS instance.
  • Use a public image or an Alibaba Cloud Marketplace image to create an ECS instance.