Share a snapshot with other Alibaba Cloud accounts - Elastic Compute Service

You can share disk snapshots with other Alibaba Cloud accounts or within your organization using resource directories. Other accounts can utilize your shared snapshots to swiftly create disks for daily operations and maintenance. This topic describes the steps to share, use, and unshare a snapshot, along with important considerations for these processes.

Note

Resource Directory (RD) is a service provided by Alibaba Cloud for enterprise users to manage multiple accounts and resources. It enables you to establish an organizational structure based on business needs and consolidate enterprise accounts into a hierarchical resource structure. For more information, see what is Resource Directory.

Considerations

Before sharing a snapshot, take into account the following:

Consideration	Description
Sharing fees	The sharing process itself is free of charge. You are charged resource fees when you use shared snapshots to create disks or copy snapshots across regions.
Sharing limits	You can share a snapshot with up to 64 Alibaba Cloud accounts. Each Alibaba Cloud account can share up to 1,024 snapshots.
Account restrictions	Snapshots can be shared only between Alibaba Cloud accounts. Snapshots cannot be shared between accounts on the China site and the international site.
Encrypted snapshot restrictions	Snapshots that are encrypted with service keys cannot be shared. When you create disks or copy shared encrypted snapshots, you must replace the key. Note If you need to share a snapshot that is encrypted with a service key, you can use the copy snapshot feature to replace the service key with a custom key before sharing. For more information about ECS encryption keys, see encryption keys.
Other restrictions	Shared snapshots cannot be used to create custom images. The ID of a shared snapshot is different from the original snapshot ID, so shared snapshots cannot be used to roll back disks. Shared snapshots cannot be deleted directly. You must first unshare the snapshot before you can delete it. Shared snapshots cannot be shared again. Note If you need to operate on a shared snapshot, you can: Create a new disk from the current shared snapshot, create a new snapshot of the disk, and then share the new snapshot. Copy the shared snapshot and then share the new snapshot copy. Shared snapshots cannot have their retention period extended. Note If the original snapshot is retained permanently, the retention period of the shared snapshot is 3 years (1,095 days). If the original snapshot has a custom retention period, the shared snapshot follows the original snapshot's retention period.

Preparations

Ensure the snapshot is free of sensitive data and files before sharing.
Complete the necessary preparations based on the sharing scenario.
- When sharing a snapshot with other Alibaba Cloud accounts, retrieve the account ID.
  
  To obtain the ID: Hover the mouse over the profile picture in the upper-right corner of the console. If the account is identified as the Primary Account, the displayed ID is the Alibaba Cloud account ID.
- To share a snapshot within your organization using resource directories, enable resource directories through the management account or member accounts. For more information, see enable Resource Directory.

Share a snapshot

Share a snapshot through the console

Sharer shares a snapshot

(Conditionally required) The sharer creates a role and grants permissions.

If sharing an encrypted snapshot, since it's encrypted with a KMS key from your Alibaba Cloud account, you must grant permissions for the shared account to access the KMS key before sharing. For more information, see cross-account sharing of encrypted resources.
The sharer logs on to the ECS console and navigates to the snapshot sharing action page.
1. In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
2. In the top navigation bar, select the region and resource group to which the resource belongs.
3. Locate the target encrypted snapshot. In the Action column, select > Share Snapshot.
In the Add To Resource Share dialog box, set the shared snapshot parameters.
1. Select a previously created resource share in the Resource Sharing console.
  
  Note
  Resource Sharing, a feature of Resource Management, enables you to share snapshots with other Alibaba Cloud accounts. Create resource shares to share your resources, which consist of a resource owner, principals, and shared resources. Principals are the Alibaba Cloud accounts invited to use the owner's resources. For more details on resource shares, see what is resource sharing.
2. In the Add Principals section, enter the Alibaba Cloud account ID of the sharee and click Add.
3. After adding the sharee, click Confirm.

Sharee uses a shared snapshot

The sharee must accept the snapshot sharing invitation to complete the sharing process.

The sharee accepts the shared snapshot.
1. The sharee logs on to the Resource Sharing console.
2. In the left-side navigation pane, select Resource Sharing >Shared With Me.
3. In the top navigation bar's upper-left corner, select the region where the shared snapshot is located.
4. On the Shared With Me page, click Accept in the Status column for the target resource share.
5. In the Accept Resource Sharing dialog box, click OK.
  
  After accepting the invitation, you can use the shared snapshot. Future sharing invitations for resources added to the resource share are automatically accepted.
View the shared snapshot.
1. The sharee logs on to the ECS console.
2. In the left-side navigation pane, select Storage & Snapshots > Snapshots.
3. In the top navigation bar's upper-left corner, select the region where the shared snapshot is located.
4. Find the shared snapshot in the snapshot list.
  - Hover over the icon. The label Acs:ecs:sharedfrom:<sharee Uid>:<source Region Of The Shared Snapshot>:<source Snapshot ID> appears.
  - The Snapshot Source is marked as Shared Snapshot.
  - Hover over the icon to view details like the shared account ID and source snapshot ID.
    
    Alternatively, select Operation in the shared snapshot column, then choose > View Shared Snapshot to see the shared information in the Resource Sharing Console.
Use the shared snapshot.
- For unencrypted snapshots, the sharee can:
  - Create a new disk: For instructions, see create a data disk from a snapshot.
  - Copy the shared snapshot: For details, see copy a snapshot.
- For encrypted snapshots, the sharee can:
  - Create a new disk, but must change the key: See create a data disk from a snapshot for guidance.
    
    Note
    When using shared encrypted snapshots to create disks, only Enterprise SSDs (ESSDs) can be created. If other types of disks are needed, first copy the snapshot and then create a new disk from the copied snapshot.
  - Copy the shared snapshot, but must change the key: Refer to copy a snapshot for the procedure.

Share a snapshot through SDK

This section explains how to use ECS and Resource Sharing SDKs to share a snapshot across accounts and create a disk from the shared snapshot. The example uses Java SDKs and an open-source sample project.

Download the sample project: snapshot sharing sample.

The project includes these code snippets:
- CreateResourceShare: The sharer creates a resource share and initiates snapshot sharing.
- ReceiveResourceShare: The sharee accepts the snapshot sharing invitation.
- UseResourceShare: The sharee uses the shared snapshot to create a disk.
Set up the sample project.
1. Add SDK dependencies in the pom.xml file. For more information, see install Java SDK.
```

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>resourcesharing20200110</artifactId>
  <version>${lastVersion}</version>
</dependency>

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>alibabacloud-ecs20140526</artifactId>
  <version>${lastVersion}</version>
</dependency>
```
  Note
  SDK packages are frequently updated. For the latest version dependencies, visit the GitHub link on the SDK overview page.
2. Add the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET to your local environment and input your AccessKey ID and Secret.
3. Replace other project variables with actual values, such as the snapshot ID to share, the UID of the account to share with, and the disk category to create.
Compile and run the Java code snippets as needed.
Verify the results in the corresponding consoles.

For instance, the sharer can check the created resource share in the Resource Sharing console, while the sharee can view the shared snapshot and the disk created from it in the ECS console.

Unshare a snapshot

If you no longer want to share a snapshot with another Alibaba Cloud account, you can unshare it.

Considerations

After a snapshot is unshared, the sharee will experience the following:

The snapshot will no longer appear in the ECS console or be accessible via ECS API.
Disks created from the shared snapshot cannot be reinitialized.
Snapshots copied from the shared snapshot remain unaffected.

Procedure

The sharer logs on to the ECS console and navigates to the snapshot sharing action page.
1. In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
2. In the top navigation bar, select the region and resource group to which the resource belongs.
3. Locate the target encrypted snapshot. In the Action column, select > Share Snapshot.
Unshare the snapshot.
1. In the Add To Resource Share dialog box, select the target resource share.
2. In the Principals area, click Edit.
3. From the Added Principals list, click Remove in the Action column.
4. Click OK to confirm and stop sharing the snapshot with other Alibaba Cloud accounts.