Share an encrypted custom image - Elastic Compute Service

You can use shared images to deploy Elastic Compute Service (ECS) instances across accounts within the same region. Before you can share an encrypted custom image with other Alibaba Cloud accounts or within your organization based on resource directories or folders, you must use Resource Access Management (RAM) to create a RAM role and grant the required permissions to the role. This topic describes how to share an encrypted custom image and the precautions of sharing the image.

Scenarios

Note

You can share encrypted custom images only within the following zones of the China (Beijing), China (Shanghai), China (Hong Kong), and Singapore regions.

China (Beijing): Zone A, Zone B, Zone C, Zone D, Zone E, Zone F, Zone G, Zone H, Zone I, Zone J, Zone K, and Zone L
China (Shanghai): Zone A, Zone B, Zone C, Zone D, Zone E, Zone F, Zone G, Zone K, Zone L, Zone M, and Zone N
China (Hong Kong): Zone B, Zone C, and Zone D
Singapore: Zone A, Zone B, and Zone C

Scenario 1: You want to share images in your Alibaba Cloud account to one or more Alibaba Cloud accounts.
Scenario 2: When you use Alibaba Cloud services, you use a resource directory to manage all Alibaba Cloud accounts of your organization. You want to share the images of a member in the resource directory to all members in the resource directory or to all members in a specific folder in the resource directory.
If you share images in scenario 2, all accounts within the resource directory or folder have access to the shared images. Accounts that are subsequently added to the resource directory or folder also have access to the shared images. Accounts that are removed from the resource directory or folder lose access to the shared images. For more information, see Resource Sharing overview.
Note Resource Directory is a service that can be used to manage the relationships among a number of accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to form a hierarchy for the resources of your organization. For more information, see Resource Directory overview.
If you have shared a custom image based on resource directories, we recommend that you do not reshare the custom image in the way described in Scenario 1. This prevents the inconsistency of image sharing data in resource directories.

Preparations

Before you share a custom image, make sure that all sensitive data and files are removed from the image.
When you share an image in different scenarios, take note of the following items:
- To share an image to other Alibaba Cloud accounts, you must obtain the IDs of the Alibaba Cloud accounts.
  To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account in the user information panel, the account ID is an Alibaba Cloud account ID.
- To share an image within your organization based on resource directories or folders, you must enable resource directories by using the management account and member accounts. For information about how to enable a resource directory, see Enable a resource directory.
You can share images across accounts only within the same region. If you want to share images across regions, you must copy the image to the destination region and then share the image copy, or share the image and copy the shared image to other regions. For more information, see Copy an image.

Precautions

Before you share images, take note of the items described in the following tables.

Sharers


Item	Description
Sharing fee	You are not charged for sharing images.
Account permission	You can share only custom images that are created within your account. You cannot share custom images that are created and shared by other accounts. A custom image can be shared to up to 50 accounts. If you want to share images to Alibaba Cloud accounts, you must use your Alibaba Cloud account to share the images. Alibaba Cloud accounts can grant permissions to their Resource Access Management (RAM) users by attaching policies. For example, assume that Alibaba Cloud Account A shares an image to Alibaba Cloud Account B and that Alibaba Cloud Account B has RAM User B1. Account B must grant permissions on the shared image to B1 based on scenarios. Note Scenario 1: If B1 needs to view the shared image, B1 must be granted the permissions to call the DescribeImages operation. To grant the permissions to B1, Account B must attach a custom policy similar to the following one to B1: `{ "Version": "1", "Statement": [ { "Action": [ "ecs:DescribeImages", ], "Resource": "", "Effect": "Allow" } ] }` Scenario 2: If B1 needs to create ECS instances from the shared image, B1 must be granted the permissions to call the RunInstances or CreateInstance operation. To grant the permissions to B1, Account B must attach a custom policy similar to the following one to B1: `{ "Version": "1", "Statement": [ { "Action": [ "ecs:RunInstances", "ecs:CreateInstance" ], "Resource": "", "Effect": "Allow" } ] }` For more information, see Create a custom policy on the JSON tab. In specific cases, Alibaba Cloud accounts need to implement fine-grained permission control on their RAM users by attaching custom policies. For example, an Alibaba Cloud account can grant its RAM users only the permissions to create ECS instances from an image shared by another Alibaba Cloud account, or the permissions to create ECS instances from custom images instead of public images or Alibaba Cloud Marketplace images. For more information, see Configure policies for shared images used to create ECS instances.
Limits on regions	You can share images across accounts only within the same region and cannot share images across regions. If you want to share images across regions, you must copy the image to the destination region and then share the image copy, or share the image and copy the shared image to other regions. For more information, see Copy an image. You can share images between accounts across the China (aliyun.com), International (alibabacloud.com), and Japan (jp.alibabacloud.com) sites, except for custom images that are derived from Alibaba Cloud Marketplace images. Fees of custom images that are derived from Alibaba Cloud Marketplace images vary with sites. You cannot share these images across the sites.

Sharees


Item	Description
Sharing fee	Images that are shared to an account do not count against the image quota for the account. The account is not charged for images shared to it. If a shared image is a paid image and the sharees use the shared image to create ECS instances, the sharees are charged for the image. For example, if you use a paid image that is shared by another Alibaba Cloud account to create an instance, you are charged for the shared image and created instance. For more information about image billing, see Images.
Limits	Sharees can use shared images only to create ECS instances. Alternatively, they can copy the shared images to their accounts as custom images and then delete or update the images. For more information, see Use shared images.

Step 1: Create a RAM role and grant permissions to the role

Before you can share an encrypted custom image with Alibaba Cloud accounts or within your organization based on resource directories or folders, you must use RAM to create a RAM role named AliyunECSShareEncryptImageDefaultRole and grant the required permissions to the role.

Log on to the RAM console with an Alibaba Cloud account from which you want to share an encrypted custom image.
In the left-side navigation pane, choose Identities > Roles.
Click Create Role. In the Create Role panel, perform the following operations:
1. In the Select Role Type step, select Alibaba Cloud Account and click Next.
2. In the Configure Role step, enter AliyunECSShareEncryptImageDefaultRole in the RAM Role Name field, set Select Trusted Alibaba Cloud Account to Current Alibaba Cloud Account, and then click OK.
3. In the Finish step, click Add Permissions to RAM Role.
4. In the Add Permissions panel, click System Policy in the Select Policy section and enter AliyunKMSFullAccess in the search box.
  Accept the default values for other parameters.
5. Click the AliyunKMSFullAccess policy to add the policy to the Selected section and click OK. Then, click OK.
On the Roles page, enter AliyunECSShareEncryptImageDefaultRole in the search box next to Create Role. Then, click the role name to go to the role details page.
On the role details page, modify the trust policy.
1. Click the Trust Policy Management tab.
2. Click Edit Trust Policy and replace the default trust policy in the Edit Trust Policy panel.
  - If you want to share an encrypted custom image with a single Alibaba Cloud account, replace the default trust policy with the following policy. In the replacement policy, replace <UID> with the ID of the Alibaba Cloud account with which you want to share the image.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "<UID>@ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
  - If you want to share an encrypted custom image with multiple Alibaba Cloud accounts, replace the default trust policy with the following policy. In the replacement policy, replace <UID-X> with the ID of each Alibaba Cloud account with which to share the image.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "<UID-1>@ecs.aliyuncs.com",
          "<UID-2>@ecs.aliyuncs.com",
          "<UID-3>@ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
  - If you want to share an encrypted custom image within your organization based on resource directories, replace the default trust policy based on the following scenarios:
    - Scenario 1: If you want to share an encrypted custom image with a resource directory, replace the default trust policy with the following policy in which the ID of the resource directory is specified:
      { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "*@ecs.aliyuncs.com" }, "Condition": { "StringEquals": { "sts:ServiceOwnerRDId": "<Resource directory ID>" } } } ], "Version": "1" }
      In the preceding policy, replace <Resource directory ID> with the ID of the resource directory with which you want to share the image. For information about how to view the ID of a resource directory, see View the basic information of a resource directory.
    - Scenario 2: If you want to share an encrypted custom image with a folder, replace the default trust policy with the following policy in which the resource directory path of the folder is specified in the <Resource directory ID>/<Root folder ID>/.../<Current folder ID*> format:
      { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "*@ecs.aliyuncs.com" }, "Condition": { "StringLike": { "sts:ServiceOwnerRDPath": "<Resource directory ID>/<Root folder ID>/.../<Current folder ID*>" } } } ], "Version": "1" }
      In the preceding policy, replace <Resource directory ID>/<Root folder ID>/.../<Current folder ID*> with the resource directory path of the folder with which you want to share the image. For information about how to obtain the resource directory path of a folder, see View the basic information of a folder.
3. Click OK.

Step 2: Share an encrypted custom image

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Images.
In the top navigation bar, select a region.
On the Custom Images tab, find the custom image that you want to share and click Share Image in the Actions column.
In the Share Image dialog box, perform the following operations based on the image sharing scenario.
- Share the image to other Alibaba Cloud accounts
  1. Enter the IDs of the Alibaba Cloud accounts in the Shared Account ID field. You can enter up to 50 Alibaba Cloud account IDs at the same time.
  2. Click Share Image.
- Share the image within your organization based on resource directories or folders
  1. In the Sharee Type section, click Shared Organization.
    Note Only the management account or member accounts for which a resource directory is enabled can share resources within an organization. If Shared Organization is not displayed, you must enable a resource directory. For more information, see Enable a resource directory.
  2. Go to the Resource Management console to complete the sharing operation. For more information, see Create a resource share.
    Note In the Select Shared Resource section of the Create Resource Share page, set Resource Type to ECS Image.

What to do next

After the image is shared, the sharees can use the shared image in the ECS console. For more information, see Use shared images.
You can unshare images that are no longer needed. For more information, see Unshare custom images.