All Products
Search

This Product

    Elastic Compute Service:Share a custom image

    Document Center

    Elastic Compute Service:Share a custom image

    Last Updated:Jun 21, 2024

    You can use shared images to create Elastic Compute Service (ECS) instances across multiple Alibaba Cloud accounts in the same region. After you create a custom image, you can share the custom image with other Alibaba Cloud accounts or within your organization based on resource directories or folders. This way, the sharees can use the shared image to create identical ECS instances. This topic describes how to share a custom image and the considerations that you must take note of when you share the image.

    Scenarios

    • Scenario 1: You want to share images in your Alibaba Cloud account with one or more Alibaba Cloud accounts.

    • Scenario 2: When you use Alibaba Cloud services, you use a resource directory to manage all Alibaba Cloud accounts of your organization. You want to share the images of a member in the resource directory with all members in the resource directory or with all members in a specific folder in the resource directory.

      If you share images in Scenario 2, all accounts in the resource directory or folder have access to the shared images. Accounts that are subsequently added to the resource directory or folder also have access to the shared images. Accounts that are removed from the resource directory or folder lose access to the shared images. For more information, see Resource Sharing overview.

      Note

      Resource Directory is a service that you can use to manage relationships among a number of accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to create a hierarchy for the resources of your organization. For more information, see Resource Directory overview.

      If you shared a custom image with all members in a resource directory or with all members in a specific folder in the resource directory, we recommend that you do not reshare the custom image in the manner described in Scenario 1. This prevents inconsistencies of the shared image data in resource directories.

    Considerations

    Before you share a custom image, take note of the items described in the following tables.

    Sharers

    Item

    Description

    Fees

    You are not charged for sharing custom images.

    Permissions

    • You can share custom images that are created in your account. You cannot share custom images that are created and shared by other accounts.

    • ECS imposes limits on the number of users with which you can share a custom image. In the Quota Center console, you can view and change the Quota of users that can be shared per custom image on the General Quotas page for ECS. For more information, see Manage ECS quotas.

    • If you want to share custom images with Alibaba Cloud accounts, you must use your Alibaba Cloud account to share the images. Alibaba Cloud accounts can grant permissions to the Resource Access Management (RAM) users of the accounts by attaching policies to the RAM users.

      • For example, if Alibaba Cloud Account A shares a custom image with Alibaba Cloud Account B and Alibaba Cloud Account B has a RAM user named User B1, Alibaba Cloud Account B must grant permissions on the shared image to User B1 based on the scenario.

        Note

        Scenario 1: If User B1 needs to view the shared image, User B1 must have the permissions to call the DescribeImages operation. To grant the permissions to User B1, Alibaba Cloud Account B must attach a custom policy similar to the following one to User B1: 

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeImages",
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

        Scenario 2: If User B1 needs to create ECS instances from the shared image, User B1 must have the permissions to call the RunInstances or CreateInstance operation. To grant the permissions to User B1, Alibaba Cloud Account B must attach a custom policy similar to the following one to User B1: 

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

        For more information, see the Create a custom policy on the JSON tab section of the "Create custom policies" topic.

      • In specific cases, Alibaba Cloud accounts must perform fine-grained permission control on the RAM users of the accounts by attaching custom policies to the RAM users. For example, an Alibaba Cloud account can grant the RAM users of the account only the permissions to create ECS instances from a custom image that is shared by another Alibaba Cloud account, or the permissions to create ECS instances from custom images instead of public images or Alibaba Cloud Marketplace images. For more information, see Configure policies for shared images used to create ECS instances.

      • Images cannot be shared between accounts on the China site and accounts on the international site.

    Regions

    • You can share custom images across accounts only within the same region.

      If you want to share a custom image across regions, copy the image to the destination region and share the image copy, or share the image and copy the shared image to the destination region. For more information, see Copy a custom image.

    • You can share encrypted custom images only in the China (Beijing), China (Shanghai), China (Hong Kong), and Singapore regions.

    Sharees

    Item

    Description

    Fees

    • Images that are shared with an account do not count against the image quota of the account. The account is not charged for the shared images.

    • If a shared image is derived from a paid image and the sharees use the shared image to create ECS instances, the sharees are charged for the shared image. For example, if another Alibaba Cloud account shares a paid image with you, and you use the shared image to create an ECS instance, you are charged for the shared image and the created instance.

    For more information about image billing, see Images.

    Limits

    • Sharees can use shared images only to create ECS instances. Sharees can copy the shared images to the accounts of the sharees as custom images and delete or update the custom images. For more information, see Use shared images.

    • If a shared image or the resources on which the shared image depends are unavailable due to specific reasons such as overdue payments or invalid keys, the shared image cannot be used to create ECS instances. ECS instances that are created from the shared image and the snapshots and images that are created based on the disks of the instances may also be unavailable.

    • You cannot share ECS custom images for use on simple application servers. You can share custom images created from simple application servers for use on ECS instances. For more information, see Share a custom image.

    Preparations

    • Before you share a custom image, make sure that all sensitive data and files are removed from the image.

    • When you share a custom image in different scenarios, take note of the following items:

      • To share a custom image with other Alibaba Cloud accounts, you must obtain the IDs of the accounts.

        To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the Main Account tag is added to the Alibaba Cloud account, the account ID is an Alibaba Cloud account ID.

      • To share a custom image within your organization based on resource directories or folders, you must enable the resource directories by using the management account or members. For more information, see Enable a resource directory.

    Procedure

    Share an unencrypted custom image

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Images.

    3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

    4. On the Custom Images tab, find the unencrypted custom image that you want to share and click Share Image in the Actions column.

    5. In the Share Image dialog box, configure the parameters based on your business requirements.

      • Share the unencrypted custom image with other Alibaba Cloud accounts

        1. Enter the IDs of the Alibaba Cloud accounts in the Shared Account ID field.

        2. For the Security Confirmation parameter, select After you share the unencrypted custom image with accounts, the accounts can obtain the data of the image. To ensure data security, confirm that you want to share the unencrypted custom image with the accounts.

        3. Click Confirm.

      • Share the unencrypted custom image within your organization based on resource directories or folders

        1. To the right of the Sharee Type parameter, click Shared Organization.

          Note

          Only the management account or members that enabled a resource directory can share resources within an organization. If Shared Organization is not displayed, you must enable a resource directory. For more information, see Enable a resource directory.

        2. Go to the Resource Management console to complete the sharing operation. For more information, see Create a resource share.

          Note

          In the Resources section of the Create Resource Share page, set the resource type to ECS Image.

      After you share the unencrypted custom image, find the image and move the pointer over the image.png icon corresponding to the image to view the Alibaba Cloud accounts with which the image is shared.

      image.png

    Share an encrypted custom image

    Step 1: Create a RAM role and grant permissions to the RAM role

    If you want to share an encrypted custom image, create a RAM role named AliyunECSShareEncryptImageDefaultRole in the RAM console and attach a policy to grant the required permissions to the RAM role. Then, you can share the encrypted custom image with other Alibaba Cloud accounts or within your organization based on the resource directory or folder.

    1. Log on to the RAM console with an Alibaba Cloud account from which you want to share an encrypted custom image.

    2. On the Policies page, find or create a policy.

      • If the custom image that you want to share is encrypted by using the default service customer master key (CMK), find the AliyunKMSFullAccess system policy. To view the content of the system policy, see AliyunKMSFullAccess.

      • If the custom image that you want to share is encrypted by using a custom CMK that you created in Key Management Service (KMS), click Create Policy on the Policies page and click the JSON tab to create a custom policy that grants the minimum permissions on the custom CMK. For more information, see the Create a custom policy on the JSON tab section of the "Create custom policies" topic.

        The following sample code provides an example policy that grants only the permissions on the CMK associated with the encrypted custom image that you want to share: 

        {
  "Version": "1",
  "Statement": [
    {
      "Action": "kms:List*",
      "Resource": "acs:kms:<ID of the region in which the CMK resides>:<ID of the Alibaba Cloud account to which the CMK belongs>:key",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:DescribeKey",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "acs:kms:<ID of the region in which the CMK resides>:<ID of the Alibaba Cloud account to which the CMK belongs>:key/<ID of the CMK associated with the image>",
      "Effect": "Allow"
    }
  ]
}
        Note

        You must replace the <ID of the region in which the CMK resides>, <ID of the Alibaba Cloud account to which the CMK belongs>, and <ID of the CMK associated with the image> variables with actual values.

    3. On the Roles page, create a RAM role named AliyunECSShareEncryptImageDefaultRole for a trusted Alibaba Cloud account.

      For more information, see Create a RAM role for a trusted Alibaba Cloud account.

    4. On the Roles page, click the AliyunECSShareEncryptImageDefaultRole role that you created to go to the role details page.

      • On the Permissions tab, click Grant Permission to attach the policy that you found or created in Step 2 to the RAM role. For more information, see the Method 1: Grant permissions to a RAM role by clicking Grant Permission on the Roles page section of the "Grant permissions to a RAM role" topic.

      • On the Trust Policy tab, click Edit Trust Policy and specify the sharees with which you want to share the encrypted custom image. For more information, see Edit the trust policy of a RAM role.

        • If you want to share the encrypted custom image with an Alibaba Cloud account, replace the default trust policy with the following policy: 

          {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "<UID>@ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
          Note

          In the replacement policy, replace <UID> with the ID of the Alibaba Cloud account with which to share the encrypted custom image. If you want to share the encrypted custom image with multiple Alibaba Cloud accounts, you must specify the IDs of the Alibaba Cloud accounts with which to share the image.

        • If you want to share the encrypted custom image within your organization based on resource directories, replace the default trust policy based on the scenario.

          • Scenario 1: If you want to share the encrypted custom image with all members in a resource directory, replace the default trust policy with the following policy in which the ID of the resource directory is specified:

            {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "*@ecs.aliyuncs.com"
      },
      "Condition": {
        "StringEquals": {
          "sts:ServiceOwnerRDId": "<ID of the resource directory>"
        }
      }
    }
  ],
  "Version": "1"
}
            Note

            In the replacement policy, replace <ID of the resource directory> with the ID of the resource directory of the sharees. For information about how to view the ID of a resource directory, see View the basic information about a resource directory.

          • Scenario 2: If you want to share the encrypted custom image with all members in a specific folder in a resource directory, replace the default trust policy with the following policy in which the resource directory path of the folder is specified in the <Resource directory ID>/<Root folder ID>/.../<Current folder ID*> format:

            {
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "*@ecs.aliyuncs.com"
      },
      "Condition": {
        "StringLike": {
          "sts:ServiceOwnerRDPath": "<ID of the resource directory>/<Root folder ID>/.../<Current folder ID*>"
        }
      }
    }
  ],
  "Version": "1"
}
            Note

            In the replacement policy, replace <ID of the resource directory>, <Root folder ID>, and <Current folder ID> with actual values. For information about how to view the resource directory path of a folder, see View the basic information of a folder.

    Step 2: Share the encrypted custom image

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Images.

    3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

    4. On the Custom Images tab, find the custom image that you want to share and click Share Image in the Actions column.

    5. In the Share Image dialog box, configure the parameters based on your business requirements.

      • Share the unencrypted custom image with other Alibaba Cloud accounts

        1. Enter the IDs of the Alibaba Cloud accounts in the Shared Account ID field.

        2. For the Security Confirmation parameter, select After you share the unencrypted custom image with accounts, the accounts can obtain the data of the image. To ensure data security, confirm that you want to share the unencrypted custom image with the accounts.

        3. Click Confirm.

      • Share the unencrypted custom image within your organization based on resource directories or folders

        1. To the right of the Sharee Type parameter, click Shared Organization.

          Note

          Only the management account or members that enabled a resource directory can share resources within an organization. If Shared Organization is not displayed, you must enable a resource directory. For more information, see Enable a resource directory.

        2. Go to the Resource Management console to complete the sharing operation. For more information, see Create a resource share.

          Note

          In the Resources section of the Create Resource Share page, set the resource type to ECS Image.

      After you share the unencrypted custom image, find the image and move the pointer over the image.png icon corresponding to the image to view the Alibaba Cloud accounts with which the image is shared.

      image.png