Share a snapshot with other Alibaba Cloud accounts - Elastic Compute Service

You can share disk snapshots with other Alibaba Cloud accounts or within your organization based on resource directories. Other Alibaba Cloud accounts can use your shared snapshots to quickly create disks to meet daily O&M requirements. This topic describes how to share a snapshot, how to use a shared snapshot, and how to unshare a snapshot. This topic also describes the considerations that apply to the preceding operations.

Note

Resource Directory is a service that can be used to manage the relationships between a number of accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to form a hierarchy for the resources of your organization. For more information, see Resource Directory overview.

Considerations

Before you share a snapshot, take note of the considerations that are described in the following table.

Consideration	Description
Fees	Snapshots are shared free of charge. You are charged resource fees when you use shared snapshots to create disks and copy snapshots across regions.
Limits	Accounts Snapshots can be shared only between Alibaba Cloud accounts. Quantities You can share a snapshot with up to 64 Alibaba Cloud accounts. Each Alibaba Cloud account can share up to 1,024 snapshots. Encrypted snapshots Encrypted snapshots that are encrypted with the default device customer master key (CMK) of Key Management Service (KMS) cannot be shared. If you want to share a snapshot that is encrypted with a default service CMK, copy the snapshot and select a custom CMK for the snapshot copy during the snapshot copy process. Then, you can share the snapshot copy. When you use a shared encrypted snapshot to create disks, you must use different encryption keys for the disks. Note When you use shared encrypted snapshots to create disks, you can create only enhanced SSDs (ESSDs). If you want to use a shared encrypted snapshot to create disks of other categories, you can copy the snapshot and then use the snapshot copy to create disks. When you copy a shared encrypted snapshot, you must use a different encryption key for the snapshot copy. Other limits Accounts cannot reshare the snapshots that are shared with them. If you want to reshare a snapshot that is shared with you, perform one of the following operations: Create a disk from the snapshot, create a snapshot of the new disk, and then share the new snapshot. Copy the snapshot and then share the snapshot copy. After snapshots are shared with accounts, the snapshots remain available to the accounts for up to three years or until the snapshots are unshared. For information about how to unshare a snapshot, see the Unshare a snapshot section of this topic. Shared snapshots cannot be used to create custom images.

Share a snapshot

Preparations

Before you share a snapshot, we recommend that you make sure that the snapshot does not contain sensitive data or files.
Make preparations based on the scenario in which you want to share a snapshot.
- If you want to share a snapshot with other Alibaba Cloud accounts, obtain the IDs of the accounts.
  To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account, the account ID is an Alibaba Cloud account ID.
- To share a snapshot within your organization based on resource directories, you must enable resource directories by using management accounts or member accounts. For more information, see Enable a resource directory.

Share a snapshot

This section describes how to share a snapshot in an Alibaba Cloud account (Account A) with another Alibaba Cloud account (Account B).

Share a normal snapshot

Use Account A to log on to the ECS console.
In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the snapshot that you want to share and choose > Share Snapshot in the Actions column.
In the Add to Resource Share dialog box, configure the parameters.
1. Select the resource share that you created in the Shared By Me (by choosing Resource Management > Resource Sharing > Resources I Share from the left-side navigation pane on the Resource Management console).
  Note
  The Resources Sharing feature of Resource Management allows you to share snapshots with other Alibaba Cloud accounts. You can create resource shares to share your resources. A resource share consists of a resource owner, principals, and shared resources. Principals are the Alibaba Cloud accounts that are invited to use the resources of the resource owner. For more information about resource shares, see Resource Sharing overview.
2. In the Principals section, click Edit to add a principal.
  1. By default, the Principal Scope parameter is set to All Accounts. For more information, see the Methods used to share resources section in the "Resource Sharing overview" topic.
  2. Set Principal ID to the ID of Account B and click Add to share the snapshot with Account B.
Click OK.

Share an encrypted snapshot

Step 1: Create a Resource Access Management (RAM) role and grant permissions to the RAM role

Before you can share an encrypted snapshot, log on to the RAM console to create a role named AliyunECSShareEncryptSnapshotDefaultRole and grant permissions to the role. Then, you can use the role to share the encrypted snapshot with other Alibaba Cloud accounts.

Use Account A to log on to the RAM console.
Before you share an encrypted snapshot, create a RAM role whose name is AliyunECSShareEncryptSnapshotDefaultRole.
1. In the left-side navigation pane, choose Identities > Roles.
2. Click Create Role.
3. In the Select Role Type step, select Alibaba Cloud Account and click Next.
4. In the Configure Role step, enter AliyunECSShareEncryptSnapshotDefaultRole in the RAM Role Name field, set Select Trusted Alibaba Cloud Account to Current Alibaba Cloud Account, and then click OK.
Grant permissions to the AliyunECSShareEncryptSnapshotDefaultRole role.
1. In the Finish step, click Add Permissions to RAM Role.
2. In the Select Policy section of the Grant Permission panel, click Create Policy.
3. On the Create Policy page, click the JSON tab.
4. Edit the following policy code to grant the permissions to share only the specified encryption key for snapshots in a specific region in a specific Alibaba Cloud account:
```
{
  "Version": "1",
  "Statement": [
    {
      "Action": "kms:List*",
      "Resource": "acs:kms:cn-hangzhou:<Alibaba Cloud UID of the KMS key>:key",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:DescribeKey",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "acs:kms:cn-hangzhou:<Alibaba Cloud UID of the KMS key>:key/<KMS key associated with the snapshot>",
      "Effect": "Allow"
    }
  ]
}
```
  Replace cn-hangzhou, <Alibaba Cloud UID of the KMS key>, and <KMS key associated with the snapshot> with the region ID of the snapshot that you want to share, the Alibaba Cloud account ID of the snapshot, and the ID of the KMS key that is used to encrypt the snapshot.
5. Configure other parameters based on the on-screen instructions.
Add the AliyunECSShareEncryptSnapshotDefaultRole role to Account B.
1. Go back to the Roles page. In the search box to the right of Create Role, enter AliyunECSShareEncryptSnapshotDefaultRole. Then, click the role name to go to the role details page.
2. On the AliyunECSShareEncryptSnapshotDefaultRole role details page, click the Trust Policy tab.
3. Click Edit Trust Policy and replace the default trust policy in the Edit Trust Policy panel.
  - If you want to share an encrypted snapshot with an Alibaba Cloud account, replace the default trust policy with the following policy. In the replacement policy, replace <UID> with the ID of the Alibaba Cloud account with which to share the snapshot.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "<UID>@ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
  - If you want to share an encrypted snapshot with multiple Alibaba Cloud accounts, replace the default trust policy with the following policy. In the replacement policy, replace <UID-X> with the ID of each Alibaba Cloud account with which to share the snapshot.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "<UID-1>@ecs.aliyuncs.com",
          "<UID-2>@ecs.aliyuncs.com",
          "<UID-3>@ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
4. Click OK.

Step 2: Share the encrypted snapshot

Use Account A to log on to the ECS console.
In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the encrypted snapshot that you want to share and choose > Share Snapshot in the Actions column.
In the Add to Resource Share dialog box, configure the parameters.
1. Select the resource share that you created in the Shared By Me (by choosing Resource Management > Resource Sharing > Resources I Share from the left-side navigation pane on the Resource Management console).
  Note
  The Resources Sharing feature of Resource Management allows you to share snapshots with other Alibaba Cloud accounts. You can create resource shares to share your resources. A resource share consists of a resource owner, principals, and shared resources. Principals are the Alibaba Cloud accounts that are invited to use the resources of the resource owner. For more information about resource shares, see Resource Sharing overview.
2. In the Principals section, click Edit to add a principal.
  1. By default, the Principal Scope parameter is set to All Accounts. For more information, see the Methods used to share resources section in the "Resource Sharing overview" topic.
  2. Set Principal ID to the ID of Account B and click Add to share the snapshot with Account B.
Click OK.

Use a shared snapshot

The snapshot is shared with Account B only after Account B accepts the snapshot sharing invitation from Account A.

Accept the snapshot sharing invitation.
1. Use Account B to log on to the Resource Management console.
2. In the left-side navigation pane, choose Resource Sharing > Resources Shared To Me.
3. In the upper-left corner of the top navigation bar, select the region where the shared snapshot resides.
4. On the Resources Shared To Me page, find the created resource share and click Accept in the Status column.
5. In the Accept Resource Sharing Invitation dialog box, click Accept.
  By accepting the invitation, Account B obtains access to the shared snapshot and accepts sharing invitations for resources that are subsequently added to the resource share.
View the shared snapshot.
1. Use Account B to log on to the ECS console.
2. In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
3. In the upper-left corner of the top navigation bar, select the region where the shared snapshot resides.
4. View the shared snapshot in the snapshot list.
  - Move the pointer over the icon. A tag in the following format appears: acs:ecs:sharedFrom:<UID of the account that shares the snapshot>:<Region in which the source snapshot resides>:<ID of the source snapshot>.
  - Creation Method is set to Shared Snapshot.
  - Move the pointer over the icon. Information such as the ID of the account that shares the snapshot and the ID of the source snapshot is displayed.
    You can also choose > View Shared Snapshot in the Actions column to view information about the shared snapshot in the Resource Management console.
Use the shared snapshot.
- If you share an unencrypted snapshot with Account B, Account B can perform the following operations on the snapshot:
  - Create a disk from the snapshot. For more information, see Create a disk from a snapshot.
  - Copy the snapshot. For more information, see Copy a snapshot.
- If you share an encrypted snapshot with Account B, Account B can perform the following operations on the snapshot:
  - Create a disk from the snapshot and use a different encryption key for the disk. For more information, see Create a disk from a snapshot.
  - Copy the snapshot and use a different encryption key for the snapshot copy. For more information, see Copy a snapshot.

Unshare a snapshot

If Account A no longer needs to share a snapshot with Account B, Alibaba Cloud Account A can unshare the snapshot.

Important

After Account A unshares a snapshot from Account B, the following scenarios occur:

Account B can no longer view the snapshot by using the ECS console or by calling an ECS API operation.
The disks that Account B created from the snapshot can no longer be reset. If the snapshot is copied by Account B across regions, the snapshot copies are not affected.

Use Account A to log on to the ECS console.
In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the snapshot that you want to unshare and choose > Share Snapshot in the Actions column.
In the Add to Resource Share dialog box, select the resource share to which the snapshot is added.
In the Principals section, click Edit.
In the Added Principals section, click Remove in the Actions column.
Click OK to unshare the snapshot from Account B.

References

If you no longer need a snapshot, we recommend that you delete the snapshot at the earliest opportunity to prevent unnecessary costs.