You can use shared images to deploy Elastic Compute Service (ECS) instances across accounts within the same region. Before you can share an encrypted custom image with other Alibaba Cloud accounts or within your organization based on resource directories or folders, you must use Resource Access Management (RAM) to create a RAM role and grant the required permissions to the role. This topic describes how to share an encrypted custom image and the precautions of sharing the image.
Scenarios
You can share encrypted custom images only within the following zones of the China (Beijing), China (Shanghai), China (Hong Kong), and Singapore regions.
Scenario 1: You want to share images in your Alibaba Cloud account with one or more Alibaba Cloud accounts.
Scenario 2: When you use Alibaba Cloud services, you use a resource directory to manage all Alibaba Cloud accounts of your organization. You want to share the images of a member in the resource directory with all members in the resource directory or with all members in a specific folder in the resource directory.
If you share images in Scenario 2, all accounts in the resource directory or folder have access to the shared images. Accounts that are subsequently added to the resource directory or folder also have access to the shared images. Accounts that are removed from the resource directory or folder lose access to the shared images. For more information, see Resource Sharing overview.
NoteResource Directory is a service that you can use to manage relationships among a number of accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to form a hierarchy for the resources of your organization. For more information, see Resource Directory overview.
If you have shared a custom image based on resource directories, we recommend that you do not reshare the custom image in the manner described in Scenario 1. This prevents the inconsistency of image sharing data in resource directories.
Preparations
Before you share a custom image, make sure that all sensitive data and files are removed from the image.
When you share a custom image in different scenarios, take note of the following items:
To share an image with other Alibaba Cloud accounts, you must obtain the IDs of the Alibaba Cloud accounts.
To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account, the account ID is an Alibaba Cloud account ID.
To share an image within your organization based on resource directories or folders, you must enable resource directories by using the management account or member accounts. For more information, see Enable a resource directory.
You can share images across accounts only within the same region. If you want to share an image across regions, copy the image to the destination region and then share the image copy. You can also share the image and then copy the image to the desired regions. For more information, see Copy a custom image.
Considerations
Before you share images, take note of the items described in the following tables.
Sharers
Item | Description |
Sharing fee | You are not charged for sharing images. |
Account permissions |
|
Region | You can share images across accounts only within the same region and cannot share images across regions. |
Sharees
Item | Description |
Sharing fee |
For more information about image billing, see Images. |
Limits |
|
Step 1: Create a RAM role and grant permissions to the role
Before you can share an encrypted custom image with Alibaba Cloud accounts or within your organization based on resource directories or folders, you must use RAM to create a RAM role named AliyunECSShareEncryptImageDefaultRole
and grant the required permissions to the role.
Log on to the RAM console with an Alibaba Cloud account from which you want to share an encrypted custom image.
In the left-side navigation pane, choose .
Click Create Role. In the Create Role panel, perform the following operations:
In the Select Role Type step, select Alibaba Cloud Account and click Next.
In the Configure Role step, enter
AliyunECSShareEncryptImageDefaultRole
in the RAM Role Name field, set Select Trusted Alibaba Cloud Account to Current Alibaba Cloud Account, and then click OK.In the Finish step, click Add Permissions to RAM Role.
In the Add Permissions panel, click System Policy in the Select Policy section and enter
AliyunKMSFullAccess
in the search box.Accept the default values for other parameters.
Click the
AliyunKMSFullAccess
policy to add the policy to the Selected section and click OK. Then, click OK.
On the Roles page, enter
AliyunECSShareEncryptImageDefaultRole
in the search box next to Create Role. Then, click the role name to go to the role details page.On the role details page, modify the trust policy.
Click the Trust Policy Management tab.
Click Edit Trust Policy and replace the default trust policy in the Edit Trust Policy panel.
If you want to share an encrypted custom image with a single Alibaba Cloud account, replace the default trust policy with the following policy. In the replacement policy, replace <UID> with the ID of the Alibaba Cloud account with which you want to share the image.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<UID>@ecs.aliyuncs.com" ] } } ], "Version": "1" }
If you want to share an encrypted custom image with multiple Alibaba Cloud accounts, replace the default trust policy with the following policy. In the replacement policy, replace <UID-X> with the ID of each Alibaba Cloud account with which to share the image.
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "<UID-1>@ecs.aliyuncs.com", "<UID-2>@ecs.aliyuncs.com", "<UID-3>@ecs.aliyuncs.com" ] } } ], "Version": "1" }
If you want to share an encrypted custom image within your organization based on resource directories, replace the default trust policy based on the following scenarios:
Scenario 1: If you want to share an encrypted custom image with a resource directory, replace the default trust policy with the following policy in which the ID of the resource directory is specified:
{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "*@ecs.aliyuncs.com" }, "Condition": { "StringEquals": { "sts:ServiceOwnerRDId": "<Resource directory ID>" } } } ], "Version": "1" }
In the preceding policy, replace <Resource directory ID> with the ID of the resource directory with which you want to share the image. For information about how to view the ID of a resource directory, see View the basic information about a resource directory.
Scenario 2: If you want to share an encrypted custom image with a folder, replace the default trust policy with the following policy in which the resource directory path of the folder is specified in the
<Resource directory ID>/<Root folder ID>/.../<Current folder ID*>
format:{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "*@ecs.aliyuncs.com" }, "Condition": { "StringLike": { "sts:ServiceOwnerRDPath": "<Resource directory ID>/<Root folder ID>/.../<Current folder ID*>" } } } ], "Version": "1" }
In the preceding policy, replace <Resource directory ID>/<Root folder ID>/.../<Current folder ID*> with the resource directory path of the folder with which you want to share the image. For information about how to obtain the resource directory path of a folder, see View the basic information of a folder.
Click OK.
Step 2: Share an encrypted custom image
Log on to the ECS console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Custom Images tab, find the custom image that you want to share and click Share Image in the Actions column.
In the Share Image dialog box, configure the parameters based on your actual requirements.
Share the image with other Alibaba Cloud accounts
Enter the IDs of the Alibaba Cloud accounts in the Shared Account ID field.
Select After you share the image with accounts, the accounts can obtain the data of the image. To ensure data security, confirm that you want to share the image with the accounts.
Click Confirm.
Share the image within your organization based on resource directories or folders
In the Sharee Type section, click Shared Organization.
NoteOnly the management account or member accounts for which a resource directory is enabled can share resources within an organization. If Shared Organization is not displayed, you must enable a resource directory. For more information, see Enable a resource directory.
Go to the Resource Management console to complete the sharing operation. For more information, see Create a resource share.
NoteIn the Resources section of the Create Resource Share page, set the resource type to ECS Image.
After you share the image, find the image and move the pointer over the icon corresponding to the image to view the Alibaba Cloud accounts with which the image is shared.