All Products
Search

This Product

    Elastic Compute Service:Configure policies for shared images used to create ECS instances

    Document Center

    Elastic Compute Service:Configure policies for shared images used to create ECS instances

    Last Updated:Mar 18, 2024

    In scenarios where you want to share custom images with other accounts, such as sharing encrypted custom images, you can refer to this topic to configure specific policies to control permissions on different resources.

    Scenarios

    In this topic, Alibaba Cloud accounts A and B and RAM user B1 that belongs to B are used to show how to configure policies to control permissions on resources in the following scenarios:

    Preparations

    • Obtain the account IDs of A and B.

      To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account in the user information panel, the account ID is an Alibaba Cloud account ID.

    • Use B to grant B1 the permissions required to create ECS instances. The following example provides a sample policy that can be configured to grant permissions to B1:

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    • If you share an encrypted custom image, you must configure other policies. For more information, see Share an encrypted custom image.

    Configure policies to grant permissions to B1 to use only a custom image shared by A to create an ECS instance

    Grant permissions to B1

    1. Use B to create a custom policy.

      For more information, see Create a custom policy on the JSON tab.

      The following example shows a sample custom policy that can be configured. The ImageOwnerId parameter indicates that only custom images shared by the specified account can be used to create ECS instances. Replace the "123456789012****" value of the ImageOwnerId parameter with the account ID of A. 

      {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:RunInstances",
        "ecs:CreateInstance"
      ],
      "Effect": "Deny",
      "Resource": "acs:ecs:cn-hangzhou:*:image/*",
      "Condition": {
        "StringNotEquals": {
          "ecs:ImageOwnerId": "123456789012****"
        }
      }
    }
  ]
}

    2. Use B to attach the created policy to B1.

      For more information, see Grant permissions to a RAM user.

    Verify the permissions of B1

    Use B1 to create an ECS instance from a custom image.

    • Use a custom image shared by A to create an ECS instance.

    • Use a custom image shared by another Alibaba Cloud account such as C to create an ECS instance.

    Configure policies to grant permissions to B1 to use only a custom image to create an ECS instance

    Grant permissions to B1

    1. Use B to create a custom policy.

      For more information, see Create a custom policy on the JSON tab.

      The following example shows a sample custom policy that can be configured. "ecs:ImageSource": "Custom" indicates that only custom images can be used to create ECS instances. 

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance"
            ],
            "Effect": "Deny",
            "Resource": "acs:ecs:cn-hangzhou:*:instance/*",
            "Condition": {
                "StringNotEquals": {
                    "ecs:ImageSource": "Custom"
                }
            }
        }
    ]
}

    2. Use B to attach the created policy to B1.

      For more information, see Grant permissions to a RAM user.

    Verify the permissions of B1

    Use B1 to create an ECS instance from a custom image.