You can use shared images to deploy Elastic Compute Service (ECS) instances across accounts within the same region. Before you can share an encrypted custom image with other Alibaba Cloud accounts or within your organization based on resource directories or folders, you must use Resource Access Management (RAM) to create a RAM role and grant the required permissions to the role. This topic describes how to share an encrypted custom image and the precautions of sharing the image.
Scenarios
You can share encrypted custom images only within the following zones of the China (Beijing), China (Shanghai), China (Hong Kong), and Singapore regions.
- China (Beijing): Zone A, Zone B, Zone C, Zone D, Zone E, Zone F, Zone G, Zone H, Zone I, Zone J, Zone K, and Zone L
- China (Shanghai): Zone A, Zone B, Zone C, Zone D, Zone E, Zone F, Zone G, Zone K, Zone L, Zone M, and Zone N
- China (Hong Kong): Zone B, Zone C, and Zone D
- Singapore: Zone A, Zone B, and Zone C
- Scenario 1: You want to share images in your Alibaba Cloud account to one or more Alibaba Cloud accounts.
- Scenario 2: When you use Alibaba Cloud services, you use a resource directory to manage all Alibaba Cloud accounts of your organization. You want to share the images of a member in the resource directory to all members in the resource directory or to all members in a specific folder in the resource directory.
If you share images in scenario 2, all accounts within the resource directory or folder have access to the shared images. Accounts that are subsequently added to the resource directory or folder also have access to the shared images. Accounts that are removed from the resource directory or folder lose access to the shared images. For more information, see Resource Sharing overview.
Note Resource Directory is a service that can be used to manage the relationships among a number of accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to form a hierarchy for the resources of your organization. For more information, see Resource Directory overview.If you have shared a custom image based on resource directories, we recommend that you do not reshare the custom image in the way described in Scenario 1. This prevents the inconsistency of image sharing data in resource directories.
Preparations
- Before you share a custom image, make sure that all sensitive data and files are removed from the image.
- When you share an image in different scenarios, take note of the following items:
- To share an image to other Alibaba Cloud accounts, you must obtain the IDs of the Alibaba Cloud accounts.
To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account in the user information panel, the account ID is an Alibaba Cloud account ID.
- To share an image within your organization based on resource directories or folders, you must enable resource directories by using the management account and member accounts. For information about how to enable a resource directory, see Enable a resource directory.
- To share an image to other Alibaba Cloud accounts, you must obtain the IDs of the Alibaba Cloud accounts.
- You can share images across accounts only within the same region. If you want to share images across regions, you must copy the image to the destination region and then share the image copy, or share the image and copy the shared image to other regions. For more information, see Copy an image.
Precautions
Before you share images, take note of the items described in the following tables.
Sharers
Item | Description |
---|---|
Sharing fee | You are not charged for sharing images. |
Account permission |
|
Limits on regions |
|
Sharees
Item | Description |
---|---|
Sharing fee |
For more information about image billing, see Images. |
Limits | Sharees can use shared images only to create ECS instances. Alternatively, they can copy the shared images to their accounts as custom images and then delete or update the images. For more information, see Use shared images. |
Step 1: Create a RAM role and grant permissions to the role
Before you can share an encrypted custom image with Alibaba Cloud accounts or within your organization based on resource directories or folders, you must use RAM to create a RAM role named AliyunECSShareEncryptImageDefaultRole
and grant the required permissions to the role.
- Log on to the RAM console with an Alibaba Cloud account from which you want to share an encrypted custom image.
- In the left-side navigation pane, choose .
- Click Create Role. In the Create Role panel, perform the following operations:
- On the Roles page, enter
AliyunECSShareEncryptImageDefaultRole
in the search box next to Create Role. Then, click the role name to go to the role details page. - On the role details page, modify the trust policy.
Step 2: Share an encrypted custom image
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select a region.
- On the Custom Images tab, find the custom image that you want to share and click Share Image in the Actions column.
- In the Share Image dialog box, perform the following operations based on the image sharing scenario.
- Share the image to other Alibaba Cloud accounts
- Enter the IDs of the Alibaba Cloud accounts in the Shared Account ID field. You can enter up to 50 Alibaba Cloud account IDs at the same time.
- Click Share Image.
- Share the image within your organization based on resource directories or folders
- In the Sharee Type section, click Shared Organization. Note Only the management account or member accounts for which a resource directory is enabled can share resources within an organization. If Shared Organization is not displayed, you must enable a resource directory. For more information, see Enable a resource directory.
- Go to the Resource Management console to complete the sharing operation. For more information, see Create a resource share. Note In the Select Shared Resource section of the Create Resource Share page, set Resource Type to ECS Image.
- In the Sharee Type section, click Shared Organization.
- Share the image to other Alibaba Cloud accounts
What to do next
- After the image is shared, the sharees can use the shared image in the ECS console. For more information, see Use shared images.
- You can unshare images that are no longer needed. For more information, see Unshare custom images.