Shared images can be used to deploy Elastic Compute Service (ECS) instances across multiple Alibaba Cloud accounts within the same region. After you create a custom image, you can share the custom image to other Alibaba Cloud accounts or within your organization based on resource directories or folders. Then, the sharees can use the shared image to create identical ECS instances. This topic describes how to share unencrypted custom images and the items that you must take note of before you share images.

Scenarios

  • Scenario 1: You want to share images in your Alibaba Cloud account to one or more Alibaba Cloud accounts.
  • Scenario 2: When you use Alibaba Cloud services, you use a resource directory to manage all Alibaba Cloud accounts of your organization. You want to share the images of a member in the resource directory to all members in the resource directory or to all members in a specific folder in the resource directory.

    If you share images in scenario 2, all accounts within the resource directory or folder have access to the shared images. Accounts that are subsequently added to the resource directory or folder also have access to the shared images. Accounts that are removed from the resource directory or folder lose access to the shared images. For more information, see Resource Sharing overview.

    Note Resource Directory is a service that can be used to manage the relationships among a number of accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to form a hierarchy for the resources of your organization. For more information, see Resource Directory overview.

Preparations

  • Before you share a custom image, make sure that all sensitive data and files are removed from the image.
  • When you share an image in different scenarios, take note of the following items:
    • To share an image to other Alibaba Cloud accounts, you must obtain the IDs of the Alibaba Cloud accounts.

      To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account in the user information panel, the account ID is an Alibaba Cloud account ID.

    • To share an image within your organization based on resource directories or folders, you must enable resource directories by using the management account and member accounts. For information about how to enable a resource directory, see Enable a resource directory.
  • You can share images across accounts only within the same region. If you want to share images across regions, you must copy the image to the destination region and then share the image copy, or share the image and copy the shared image to other regions. For more information, see Copy an image.

Precautions

Before you share images, take note of the items described in the following tables.

Sharers

ItemDescription
Sharing feeYou are not charged for sharing images.
Account permission
  • You can share only custom images that are created within your account. You cannot share custom images that are created and shared by other accounts.
  • A custom image can be shared to up to 50 accounts.
  • If you want to share images to Alibaba Cloud accounts, you must use your Alibaba Cloud account to share the images. Alibaba Cloud accounts can grant permissions to their Resource Access Management (RAM) users by attaching policies.
    • For example, assume that Alibaba Cloud Account A shares an image to Alibaba Cloud Account B and that Alibaba Cloud Account B has RAM User B1. Account B must grant permissions on the shared image to B1 based on scenarios.
      Note
      Scenario 1: If B1 needs to view the shared image, B1 must be granted the permissions to call the DescribeImages operation. To grant the permissions to B1, Account B must attach a custom policy similar to the following one to B1: 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeImages",
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
      Scenario 2: If B1 needs to create ECS instances from the shared image, B1 must be granted the permissions to call the RunInstances or CreateInstance operation. To grant the permissions to B1, Account B must attach a custom policy similar to the following one to B1: 
      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:RunInstances",
                "ecs:CreateInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
      For more information, see Create a custom policy on the JSON tab.
    • In specific cases, Alibaba Cloud accounts need to implement fine-grained permission control on their RAM users by attaching custom policies. For example, an Alibaba Cloud account can grant its RAM users only the permissions to create ECS instances from an image shared by another Alibaba Cloud account, or the permissions to create ECS instances from custom images instead of public images or Alibaba Cloud Marketplace images. For more information, see Configure policies for shared images used to create ECS instances.
Limits on regions
  • You can share images across accounts only within the same region and cannot share images across regions. If you want to share images across regions, you must copy the image to the destination region and then share the image copy, or share the image and copy the shared image to other regions. For more information, see Copy an image.
  • You can share images between accounts across the China (aliyun.com), International (alibabacloud.com), and Japan (jp.alibabacloud.com) sites, except for custom images that are derived from Alibaba Cloud Marketplace images. Fees of custom images that are derived from Alibaba Cloud Marketplace images vary with sites. You cannot share these images across the sites.

Sharees

ItemDescription
Sharing fee
  • Images that are shared to an account do not count against the image quota for the account. The account is not charged for images shared to it.
  • If a shared image is a paid image and the sharees use the shared image to create ECS instances, the sharees are charged for the image. For example, if you use a paid image that is shared by another Alibaba Cloud account to create an instance, you are charged for the shared image and created instance.

For more information about image billing, see Images.

LimitsSharees can use shared images only to create ECS instances. Alternatively, they can copy the shared images to their accounts as custom images and then delete or update the images. For more information, see Use shared images.

Procedure

This section describes how to share an image to other Alibaba Cloud accounts or within your organization based on resource directories or folders. In the example, an unencrypted custom image is used.
Note If you want to share an encrypted custom image, you must use RAM to obtain the required permissions. For more information, see Share an encrypted custom image.
  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Images.
  3. In the top navigation bar, select a region.
  4. On the Custom Images tab, find the custom image that you want to share and click Share Image in the Actions column.
  5. In the Share Image dialog box, perform the following operations based on the image sharing scenario.
    • Share the image to other Alibaba Cloud accounts
      1. Enter the IDs of the Alibaba Cloud accounts in the Shared Account ID field. You can enter up to 50 Alibaba Cloud account IDs at the same time.
      2. Click Share Image.
      Share the image to other Alibaba Cloud accounts
    • Share the image within your organization based on resource directories or folders
      1. In the Sharee Type section, click Shared Organization.
        Note Only the management account or member accounts for which a resource directory is enabled can share resources within an organization. If Shared Organization is not displayed, you must enable a resource directory. For more information, see Enable a resource directory.
        Shared Organization
      2. Go to the Resource Management console to complete the sharing operation. For more information, see Create a resource share.
        Note In the Select Shared Resource section of the Create Resource Share page, set Resource Type to ECS Image.

What to do next

  • After the image is shared, the sharees can use the shared image in the ECS console. For more information, see Use shared images.
  • You can unshare images that are no longer needed. For more information, see Unshare custom images.