In scenarios where you want to share images with other accounts, such as sharing encrypted custom images, you can refer to this topic to configure specific policies to control permissions on different resources.
Scenarios
- Configure policies to grant permissions to B1 to use only the custom image shared
by A to create an Elastic Compute Service (ECS) instance in the China (Hangzhou) region.
The following figure shows the workflow of this scenario.
For more information, see Configure policies to grant permissions to B1 to use only the custom image shared by A to create an ECS instance.
- Configure policies to grant permissions to B1 to use only a custom image (including
a shared image) instead of a public image or an Alibaba Cloud Marketplace image to
create an ECS instance in the China (Hangzhou) region. The following figure shows
the workflow of this scenario.
For more information, see Configure policies to grant permissions to B1 to use only a custom image to create an ECS instance.
Preparations
- Obtain the account IDs of A and B.
To obtain the ID of an Alibaba Cloud account, move the pointer over the profile picture in the upper-right corner of the Alibaba Cloud Management Console. If the account is identified as Main Account in the user information panel, the account ID is an Alibaba Cloud account ID.
- Use B to grant B1 the permissions required to create ECS instances. The following
example provides a sample policy that can be configured to grant permissions to B1:
{ "Version": "1", "Statement": [ { "Action": [ "ecs:RunInstances", "ecs:CreateInstance" ], "Resource": "*", "Effect": "Allow" } ] }
- If you share an encrypted custom image, you must configure other policies. For more information, see Share an encrypted custom image.
Configure policies to grant permissions to B1 to use only the custom image shared by A to create an ECS instance
Grant permissions to B1
Verify the permissions of B1
- Use a custom image shared by A to create an ECS instance.
- Procedure: For more information, see Use a shared image to create ECS instances.
- Result: The ECS instance is created.
- Use a custom image shared by another Alibaba Cloud account such as C to create an
ECS instance.
- Procedure: For more information, see Use a shared image to create ECS instances.
- Result: The following error message appears when B1 confirms the order.
Configure policies to grant permissions to B1 to use only a custom image to create an ECS instance
Grant permissions to B1
Verify the permissions of B1
- Use a shared custom image to create an ECS instance.
- Procedure: For more information, see Use a shared image to create ECS instances.
- Result: The ECS instance is created.
- Use a public image or an Alibaba Cloud Marketplace image to create an ECS instance.
- Procedure: For more information, see Create an instance by using the wizard.
- Result: The following error message appears when B1 confirms the order.