In scenarios where you want to share custom images with other accounts, such as sharing encrypted custom images, you can refer to this topic to configure specific policies to control permissions on different resources.
Scenarios
In this topic, Alibaba Cloud accounts A and B and RAM user B1 that belongs to B are used to show how to configure policies to control permissions on resources in the following scenarios:
Configure policies to grant permissions to B1 to use only a custom image shared by A to create an Elastic Compute Service (ECS) instance in the China (Hangzhou) region. The following figure shows the workflow in this scenario.
For more information, see Configure policies to grant permissions to B1 to use only a custom image shared by A to create an ECS instance.
Configure policies to grant permissions to B1 to use only a custom image (including a shared image) instead of a public image or an Alibaba Cloud Marketplace image to create an ECS instance in the China (Hangzhou) region. The following figure shows the workflow in this scenario.
For more information, see Configure policies to grant permissions to B1 to use only a custom image to create an ECS instance.
Preparations
Obtain the account IDs of A and B.
To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account in the user information panel, the account ID is an Alibaba Cloud account ID.
Use B to grant B1 the permissions required to create ECS instances. The following example provides a sample policy that can be configured to grant permissions to B1:
{ "Version": "1", "Statement": [ { "Action": [ "ecs:RunInstances", "ecs:CreateInstance" ], "Resource": "*", "Effect": "Allow" } ] }
If you share an encrypted custom image, you must configure other policies. For more information, see Share an encrypted custom image.
Configure policies to grant permissions to B1 to use only a custom image shared by A to create an ECS instance
Grant permissions to B1
Use B to create a custom policy.
For more information, see Create a custom policy on the JSON tab.
The following example shows a sample custom policy that can be configured. The
ImageOwnerId
parameter indicates that only custom images shared by the specified account can be used to create ECS instances. Replace the"123456789012****"
value of the ImageOwnerId parameter with the account ID of A.{ "Version": "1", "Statement": [ { "Action": [ "ecs:RunInstances", "ecs:CreateInstance" ], "Effect": "Deny", "Resource": "acs:ecs:cn-hangzhou:*:image/*", "Condition": { "StringNotEquals": { "ecs:ImageOwnerId": "123456789012****" } } } ] }
Use B to attach the created policy to B1.
For more information, see Grant permissions to a RAM user.
Verify the permissions of B1
Use B1 to create an ECS instance from a custom image.
Use a custom image shared by A to create an ECS instance.
Procedure: For more information, see Use a shared image to create ECS instances.
Result: The ECS instance is created.
Use a custom image shared by another Alibaba Cloud account such as C to create an ECS instance.
Procedure: For more information, see Use a shared image to create ECS instances.
Result: The following error message appears when B1 confirms the order.
Configure policies to grant permissions to B1 to use only a custom image to create an ECS instance
Grant permissions to B1
Use B to create a custom policy.
For more information, see Create a custom policy on the JSON tab.
The following example shows a sample custom policy that can be configured.
"ecs:ImageSource": "Custom"
indicates that only custom images can be used to create ECS instances.{ "Version": "1", "Statement": [ { "Action": [ "ecs:RunInstances", "ecs:CreateInstance" ], "Effect": "Deny", "Resource": "acs:ecs:cn-hangzhou:*:instance/*", "Condition": { "StringNotEquals": { "ecs:ImageSource": "Custom" } } } ] }
Use B to attach the created policy to B1.
For more information, see Grant permissions to a RAM user.
Verify the permissions of B1
Use B1 to create an ECS instance from a custom image.
Use a shared custom image to create an ECS instance.
Procedure: For more information, see Use a shared image to create ECS instances.
Result: The ECS instance is created.
Use a public image or an Alibaba Cloud Marketplace image to create an ECS instance.
Procedure: For more information, see Create an instance on the Custom Launch tab.
Result: The following error message appears when B1 confirms the order.