If the encryption feature is enabled for disks attached to an Elastic Compute Service (ECS) instance, custom images created from the instance are encrypted. This topic describes how to share encrypted custom images.

Background information

For more information about the encryption feature, see Encryption overview. To share encrypted custom images, you must use Resource Access Management (RAM) to create a RAM role named AliyunECSShareEncryptImageDefaultRole and attach specific policies to the role.
Note Encrypted custom images can be shared only in the China (Beijing), China (Shanghai), China (Hong Kong), and Singapore (Singapore) regions.

Procedure

  1. Make preparations.
    Before you share encrypted custom images with an account, you must know the ID of its Alibaba Cloud account. To obtain the ID of the Alibaba Cloud account, move the pointer over the profile picture in the upper-right corner of the Alibaba Cloud Management Console. If the account is identified as Main Account in the user information panel, the account ID is an Alibaba Cloud account ID.

    In this example, the ID of the Alibaba Cloud account with which the images are shared is 125****.

  2. Log on to the RAM console by using the Alibaba Cloud account of the image owner.
  3. In the left-side navigation pane, choose Identities > Roles.
  4. Click Create Role. In the Create Role panel, perform the following operations:
    1. In the Select Trusted Entity section, select Alibaba Cloud Account and click Next.
    2. In the Configure Role step, enter AliyunECSShareEncryptImageDefaultRole in the RAM Role Name field, select Current Alibaba Cloud Account in the Select Trusted Alibaba Cloud Account section, and then click OK.
    3. In the Finish step, click Add Permissions to RAM Role.
    4. In the Add Permissions panel, click System Policy in the Select Policy section and enter AliyunKMSFullAccess in the search box.
      Use the default configurations for other parameters. KMS permissions
    5. Add the AliyunKMSFullAccess policy and click OK. Then, click Complete.
  5. On the Roles page, enter AliyunECSShareEncryptImageDefaultRole in the search box next to Create Role. Then, click the role name to go to the role details page.
    Role
  6. Modify the trust policy on the role details page.
    1. Click the Trust Policy Management tab.
    2. Click Edit Trust Policy and replace the default trust policy with the following policy:
      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "<UID>@ecs.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
      <UID> is a variable. Replace it with the ID of the Alibaba Cloud account with which the images are shared. In this example, the ID of the Alibaba Cloud account with which the images are shared is 125****. The following code shows the modified trust policy:Trust policyIf you want to share encrypted custom images with multiple Alibaba Cloud accounts, you must attach the trust policy to the accounts. Example policy:
      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "<UID-1>@ecs.aliyuncs.com",
                "<UID-2>@ecs.aliyuncs.com",
                "<UID-3>@ecs.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
    3. Click OK.

What to do next

After the AliyunECSShareEncryptImageDefaultRole role is created and configured, you can use the Alibaba Cloud account of the image owner to share encrypted custom images with Alibaba Cloud accounts to which the trust policy is attached. For more information, see Share or unshare a custom image.