You can use shared images to deploy Elastic Compute Service (ECS) instances across multiple Alibaba Cloud accounts in the same region. After you create a custom image, you can share the custom image with other Alibaba Cloud accounts or within your organization based on resource directories or folders. Then, the sharees can use the shared image to create identical ECS instances. This topic describes how to share unencrypted custom images and the precautions of sharing the images.

Scenarios

  • Scenario 1: You want to share images in your Alibaba Cloud account with one or more Alibaba Cloud accounts.
  • Scenario 2: When you use Alibaba Cloud services, you use a resource directory to manage all Alibaba Cloud accounts of your organization. You want to share the images of a member in the resource directory with all members in the resource directory or with all members in a specific folder in the resource directory.

    If you share images in Scenario 2, all accounts in the resource directory or folder have access to the shared images. Accounts that are subsequently added to the resource directory or folder also have access to the shared images. Accounts that are removed from the resource directory or folder lose access to the shared images. For more information, see Resource Sharing overview.

    Note Resource Directory is a service that you can use to manage relationships among a number of accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to form a hierarchy for the resources of your organization. For more information, see Resource Directory overview.

    If you have shared a custom image based on resource directories, we recommend that you do not reshare the custom image in the manner described in Scenario 1. This prevents the inconsistency of image sharing data in resource directories.

Preparations

  • Before you share a custom image, make sure that all sensitive data and files are removed from the image.
  • When you share a custom image in different scenarios, take note of the following items:
    • To share an image with other Alibaba Cloud accounts, you must obtain the IDs of the Alibaba Cloud accounts.

      To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account in the user information panel, the account ID is an Alibaba Cloud account ID.

    • To share an image within your organization based on resource directories or folders, you must enable resource directories by using the management account and member accounts. For more information, see Enable a resource directory.
  • You can share images across accounts only within the same region. If you want to share images across regions, you must copy the image to the destination region and then share the image copy. You can also share the image and then copy the shared image to the desired regions. For more information, see Copy an image.

Precautions

Before you share images, take note of the items described in the following tables.

Sharers

ItemDescription
Sharing feeYou are not charged for sharing images.
Account permission
  • You can share custom images that are created within your account. You cannot share custom images that are created and shared by other accounts.
  • Each custom image can be shared with a limited number of users. You can find Quota of users that can be shared per custom image on the Resource Quota tab in the ECS console to check the maximum number of users that each custom image can be shared with.
    Note You can request an increase for this quota based on your business requirements in the ECS console. For more information, see View and increase resource quotas.
  • If you want to share images with Alibaba Cloud accounts, you must use your Alibaba Cloud account to share the images. Alibaba Cloud accounts can grant permissions to their Resource Access Management (RAM) users by attaching policies.
    • For example, if Alibaba Cloud Account A shares an image with Alibaba Cloud Account B and Alibaba Cloud Account B has RAM User B1, Account B must grant permissions on the shared image to B1 based on scenarios.
      Note
      Scenario 1: If B1 needs to view the shared image, B1 must be granted the permissions to call the DescribeImages operation. To grant the permissions to B1, Account B must attach a custom policy similar to the following one to B1: 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeImages",
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
      Scenario 2: If B1 needs to create ECS instances from the shared image, B1 must be granted the permissions to call the RunInstances or CreateInstance operation. To grant the permissions to B1, Account B must attach a custom policy similar to the following one to B1: 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
      For more information, see Create a custom policy on the JSON tab.
    • In specific cases, Alibaba Cloud accounts must perform fine-grained permission control on their RAM users by attaching custom policies. For example, an Alibaba Cloud account can grant its RAM users only the permissions to create ECS instances from an image that is shared by another Alibaba Cloud account, or the permissions to create ECS instances from custom images instead of public images or Alibaba Cloud Marketplace images. For more information, see Configure policies for shared images used to create ECS instances.
Limits on regions
  • You can share images across accounts only within the same region. If you want to share images across regions, you must copy the image to the destination region and then share the image copy. You can also share the image and the copy the shared image to the desired regions. For more information, see Copy an image.
  • Images can be shared between accounts on the China site (aliyun.com), International site (alibabacloud.com), and Japan site (jp.alibabacloud.com), except for custom images that are derived from Alibaba Cloud Marketplace images. Fees of custom images that are derived from Alibaba Cloud Marketplace images vary based on the site. You cannot share these images across the sites.

Sharees

ItemDescription
Sharing fee
  • Images that are shared with an account do not count against the image quota of the account. The account is not charged for the shared images.
  • If a shared image is a paid image and the sharees use the shared image to create ECS instances, the sharees are charged for the image. For example, if you use a paid image that is shared by another Alibaba Cloud account to create an instance, you are charged for the shared image and the created instance.

For more information about image billing, see Images.

Limits
  • Sharees can use shared images only to create ECS instances. Alternatively, they can copy the shared images to their accounts as custom images and then delete or update the images. For more information, see Use shared images.
  • When the resources that are used by a shared image or the source image is unavailable due to overdue payments or invalid keys, the shared image cannot be used to create ECS instances. In this case, ECS instances that were created from the shared image, and snapshots and images that were created based on the disks of the instances may be unavailable.

Procedure

This section describes how to share an image with other Alibaba Cloud accounts or within your organization based on resource directories or folders. In this example, an unencrypted custom image is used.
Note If you want to share an encrypted custom image, you must use RAM to obtain the required permissions. For more information, see Share an encrypted custom image.
  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Images.
  3. In the top navigation bar, select a region.
  4. On the Custom Images tab, find the custom image that you want to share and click Share Image in the Actions column.
  5. In the Share Image dialog box, perform the following operations based on the image sharing scenario.
    • Share the image with other Alibaba Cloud accounts
      1. Enter the IDs of the Alibaba Cloud accounts in the Shared Account ID field.
      2. Click Share Image.
      Share the image with other Alibaba Cloud accounts
    • Share the image within your organization based on resource directories or folders
      1. In the Sharee Type section, click Shared Organization.
        Note Only the management account or member accounts for which a resource directory is enabled can share resources within an organization. If Shared Organization is not displayed, you must enable a resource directory. For more information, see Enable a resource directory.
        Shared Organization
      2. Go to the Resource Management console to complete the sharing operation. For more information, see Create a resource share.

What to do next

  • After the image is shared, the sharees can use the shared image in the ECS console. For more information, see Use shared images.
  • You can unshare custom images that are no longer required. For more information, see Unshare custom images.