Share a snapshot with other Alibaba Cloud accounts - Elastic Compute Service

You can share disk snapshots with other Alibaba Cloud accounts or within your organization based on resource directories. Other Alibaba Cloud accounts can use your shared snapshots to quickly create disks to meet daily O&M requirements. This topic describes how to share a snapshot, how to use a shared snapshot, and how to unshare a snapshot. This topic also describes the considerations that apply to the preceding operations.

Note

Resource Directory is a service that can be used to manage the relationships between a number of accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to form a hierarchy for the resources of your organization. For more information, see Resource Directory overview.

Considerations

Before you share a snapshot, take note of the considerations that are described in the following table.

Consideration	Description
Fees	Snapshots are shared free of charge. You are charged resource fees when you use shared snapshots to create disks and copy snapshots across regions.
Limits	Accounts Snapshots can be shared only between Alibaba Cloud accounts. Quantities You can share a snapshot with up to 64 Alibaba Cloud accounts. Each Alibaba Cloud account can share up to 1,024 snapshots. Encrypted snapshots Encrypted snapshots that are encrypted with the default device customer master key (CMK) of Key Management Service (KMS) cannot be shared. If you want to share a snapshot that is encrypted with a default service CMK, copy the snapshot and select a custom CMK for the snapshot copy during the snapshot copy process. Then, you can share the snapshot copy. When you use a shared encrypted snapshot to create disks, you must use different encryption keys for the disks. Note When you use shared encrypted snapshots to create disks, you can create only Enterprise SSDs (ESSDs). If you want to use a shared encrypted snapshot to create disks of other categories, you can copy the snapshot and then use the snapshot copy to create disks. When you copy a shared encrypted snapshot, you must use a different encryption key for the snapshot copy. Others Accounts cannot reshare the snapshots that are shared with them. If you want to reshare a snapshot that is shared with you, perform one of the following operations: Create a disk from the snapshot, create a snapshot of the new disk, and then share the new snapshot. Copy the snapshot and then share the snapshot copy. After snapshots are shared with accounts, the snapshots remain available to the accounts for up to three years or until the snapshots are unshared. For information about how to unshare a snapshot, see the Unshare a snapshot section of this topic. Shared snapshots cannot be used to create custom images.

Preparations

Before you share a snapshot, we recommend that you make sure that the snapshot does not contain sensitive data or files.
Make preparations based on the scenario in which you want to share a snapshot.
- If you want to share a snapshot with other Alibaba Cloud accounts, obtain the IDs of the accounts.
  To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account, the account ID is an Alibaba Cloud account ID.
- To share a snapshot within your organization based on resource directories, you must enable resource directories by using management accounts or members. For more information, see Enable a resource directory.

Share a snapshot

Share a snapshot in the ECS console

A sharer shares a snapshot

Share an unencrypted snapshot

Log on to the ECS console as a sharer.
In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the snapshot that you want to share and choose > Share Snapshot in the Actions column.
In the Add to Resource Share dialog box, configure the parameters.
1. Select the resource share that you created on the Shared By Me page in the Resource Management console.
  Note
  The Resources Sharing feature of Resource Management allows you to share snapshots with other Alibaba Cloud accounts. You can create resource shares to share your resources. A resource share consists of a resource owner, principals, and shared resources. Principals are the Alibaba Cloud accounts that are invited to use the resources of the resource owner. For more information about resource shares, see Resource Sharing overview.
2. In the Principals section, click Edit to add a principal.
  1. By default, the Principal Scope parameter is set to Objects Within Resource Directory. For more information, see the Methods used to share resources section of the "Resource Sharing overview" topic.
  2. Enter the ID of the Alibaba Cloud account with which to share the snapshot and click Add.
Click OK.

Share an encrypted snapshot

Step 1: Create a Resource Access Management (RAM) role and grant permissions to the RAM role

Before you can share an encrypted snapshot, log on to the RAM console to create a role named AliyunECSShareEncryptSnapshotDefaultRole and attach a policy that contains the required permissions to the role. Then, you can use the role to share the encrypted snapshot with other Alibaba Cloud accounts.

Log on to the RAM console as a sharer.
On the Policies page, click Create Policy. On the Create Policy page, click the JSON tab to create a custom policy. For more information, see the Create a custom policy on the JSON tab section of the "Create custom policies" topic.
The following code provides an example on the content of the custom policy. The policy grants the permissions only on the CMK of the specified encrypted snapshot that is shared.
```
{
  "Version": "1",
  "Statement": [
    {
      "Action": "kms:List*",
      "Resource": "acs:kms:<ID of the region to which the CMK belongs>:<ID of the Alibaba Cloud account to which the CMK belongs>:key",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:DescribeKey",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "acs:kms:<ID of the region to which the CMK belongs>:<ID of the Alibaba Cloud account to which the CMK belongs>:key/<ID of the CMK associated with the snapshot>",
      "Effect": "Allow"
    }
  ]
}
```
Note
You must replace the <ID of the region to which the CMK belongs>, <ID of the Alibaba Cloud account to which the CMK belongs>, and <ID of the CMK associated with the snapshot> with the ID of the region to which the CMK belongs, ID of the Alibaba Cloud account ID to which the CMK belongs, and the CMK ID.
On the Roles page, create a RAM role named AliyunECSShareEncryptSnapshotDefaultRole for a trusted Alibaba Cloud account.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
On the Roles page, click the AliyunECSShareEncryptSnapshotDefaultRole role that you created to go to the role details page.
- On the Permissions tab, click Grant Permission and attach the custom policy that you created in Step 2 to the RAM role. For more information, see the Method 1: Grant permissions to a RAM role by clicking Grant Permission on the Roles page section of the "Grant permissions to a RAM role" topic.
- On the Trust Policy tab, click Edit Trust Policy and specify the sharees with which to shared the encrypted snapshot. The following code provides an example on the content of the trust policy. For more information, see Edit the trust policy of a RAM role.
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "<UID>@ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
  Note
  In the trust policy, replace <UID> with the ID of the Alibaba Cloud account with which to share the snapshot. To share a snapshot with multiple Alibaba Cloud accounts, you must add the IDs of the Alibaba Cloud accounts with which to share the snapshot.

Step 2: Share the encrypted snapshot

Log on to the ECS console as a sharer.
In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the encrypted snapshot that you want to share and choose > Share Snapshot in the Actions column.
In the Add to Resource Share dialog box, configure the parameters.
1. Select the resource share that you created on the Shared By Me page in the Resource Management console.
  Note
  The Resources Sharing feature of Resource Management allows you to share snapshots with other Alibaba Cloud accounts. You can create resource shares to share your resources. A resource share consists of a resource owner, principals, and shared resources. Principals are the Alibaba Cloud accounts that are invited to use the resources of the resource owner. For more information about resource shares, see Resource Sharing overview.
2. In the Principals section, click Edit to add a principal.
  1. By default, the Principal Scope parameter is set to Objects Within Resource Directory. For more information, see the Methods used to share resources section of the "Resource Sharing overview" topic.
  2. Enter the ID of the Alibaba Cloud account with which to share the snapshot and click Add.
Specify the parameters. Then, click OK.

A sharee uses a shared snapshot

The sharee must accept the invitation to use the shared snapshot from the sharer.

The sharee accepts the shared snapshot.
1. Log on to the Resource Management console as a sharee.
2. In the left-side navigation pane, choose Resource Sharing > Resources Shared To Me.
3. In the upper-left corner of the top navigation bar, select the region where the shared snapshot resides.
4. On the Shared To Me page, find the created resource share and click Accept in the Status column.
5. In the Accept Resource Sharing Invitation message, click Accept.
  After you accept the invitation, you (the sharee) can use the shared snapshot, and the subsequent shared resources added to the resource share are accepted by default.
View the shared snapshot.
1. Log on to the ECS console.
2. In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
3. In the upper-left corner of the top navigation bar, select the region where the shared snapshot resides.
4. View the shared snapshot in the snapshot list.
  - Move the pointer over the icon. A tag in the following format appears: acs:ecs:sharedFrom:<UID of the account that shares the snapshot>:<Region in which the source snapshot resides>:<ID of the source snapshot>.
  - Creation Method is set to Shared Snapshot.
  - Move the pointer over the icon. Information such as the ID of the account that shares the snapshot and the ID of the source snapshot is displayed.
    You can also choose > View Shared Snapshot in the Actions column to view information about the shared snapshot in the Resource Management console.
Use the shared snapshot.
- If an unencrypted snapshot is shared, the sharee can perform the following operations by using the shared unencrypted snapshot:
  - Create a disk from the snapshot. For more information, see Create a disk from a snapshot.
  - Copy the snapshot. For more information, see Copy a snapshot.
- If an encrypted snapshot is shared, the sharee can perform the following operations by using the shared encrypted snapshot:
  - Create a disk from the snapshot and use a different encryption key for the disk. For more information, see Create a disk from a snapshot.
  - Copy the snapshot and use a different encryption key for the snapshot copy. For more information, see Copy a snapshot.

Share a snapshot by using an SDK

In this example, ECS SDK for Java is used and an open source sample project is provided to help you share a snapshot across accounts and use the shared snapshot to create disks.

Click snapshot sharing sample project to download the snapshot sharing sample project.
The project contains the following API operations:
- CreateResourceShare: The sharer creates a resource share to share a snapshot.
- ReceiveResourceShare: The sharee accepts the snapshot sharing invitation.
- UseResourceShare: The sharee uses the shared snapshot to create a disk.
Configure the sample project.
1. Install SDK dependencies in the pom.xml file. For more information, see Install ECS SDK for Java.
```

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>resourcesharing20200110</artifactId>
  <version>${lastVersion}</version>
</dependency>

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>alibabacloud-ecs20140526</artifactId>
  <version>${lastVersion}</version>
</dependency>
```
  Note
  The SDK package is frequently updated. We recommend that you obtain the latest version of dependencies from the GitHub website. For more information, see Install and use ECS SDKs.
2. Add environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET to your on-premises environment, and replace the values of the variables with your actual AccessKey ID and AccessKey secret.
3. Replace the values of other variables in the project with the actual values as needed, such as the ID of the snapshot that you want to share, the UID of the account with which you want to share the snapshot, and the category of the disk that you want to create.
Compile and run each Java code snippet.
Check the execution results in the corresponding console.
If you are the sharer of the snapshot, log on to the Resource Management console to view the created resource share. If you are the sharee of the snapshot, log on to the ECS console to view the snapshot that is shared with your account and the disk that is created from the snapshot.

Unshare a snapshot

If you no longer need to share a snapshot with another Alibaba Cloud account, you can unshare the snapshot in the ECS console.

Important

After a sharer unshares a snapshot, the following impacts are imposed on the sharee:

The sharee can no longer view the snapshot in the ECS console or by calling an API operation.
The disks that the sharee created from the snapshot can no longer be reset. If the snapshot is copied by the sharee across regions, the snapshot copies are not affected.

Log on to the ECS console as a sharer.
In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the snapshot that you want to unshare and choose > Share Snapshot in the Actions column.
In the Add to Resource Share dialog box, select the resource share to which the snapshot is added.
In the Principals section, click Edit.
In the Added Principals section, click Remove in the Actions column.
Click OK to unshare the snapshot from the sharee.

References

If you no longer need a snapshot, we recommend that you delete the snapshot at the earliest opportunity to prevent unnecessary costs.