Share a snapshot with other Alibaba Cloud accounts - Elastic Compute Service

You can share disk snapshots with other Alibaba Cloud accounts or within your organization based on resource directories. Other Alibaba Cloud accounts can use your shared snapshots to quickly create disks to meet daily O&M requirements. This topic describes how to share a snapshot, how to use a shared snapshot, and how to unshare a snapshot. This topic also describes the considerations that apply to the preceding operations.

Note

Resource Directory is a service that can be used to manage the relationships between multiple accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to create a hierarchy for the resources of your organization. For more information, see What is Resource Directory?

Considerations

Before you share a snapshot, take note of the considerations that are described in the following table.

Consideration	Description
Fees	Snapshots are shared free of charge. You are charged when you use shared snapshots to create disks and copy snapshots across regions.
Limits	Accounts Snapshots can be shared only between Alibaba Cloud accounts. Quantities You can share a snapshot with up to 64 Alibaba Cloud accounts. Each Alibaba Cloud account can share up to 1,024 snapshots. Encrypted snapshots Snapshots that are encrypted with service keys cannot be shared. For information about encryption keys for ECS, see the Encryption keys section of the "Overview" topic. If you want to share a snapshot that is encrypted with a service key, copy the snapshot and select a customer master key (CMK) as the encryption key for the snapshot copy. Then, you can share the snapshot copy. When you use a shared encrypted snapshot to create disks, you must specify a different encryption key for the disks instead of using the encryption key of the snapshot. Note If you use shared encrypted snapshots to create disks, you can create only Enterprise SSDs (ESSDs). If you want to use a shared encrypted snapshot to create disks of other categories, you can copy the snapshot and then use the snapshot copy to create the disks. When you copy a shared encrypted snapshot, you must specify a different encryption key for the snapshot copy instead of using the encryption key of the snapshot. Others Accounts cannot reshare the snapshots that are shared with them. If you want to reshare a snapshot that is shared with you, perform one of the following operations: Create a disk from the snapshot, create a snapshot of the new disk, and then share the new snapshot. Copy the snapshot and share the snapshot copy. After snapshots are shared with accounts, the snapshots remain available to the accounts for up to three years or until the snapshots are unshared. For information about how to unshare a snapshot, see the Unshare a snapshot section of this topic. Shared snapshots cannot be used to create custom images.

Preparations

Before you share a snapshot, we recommend that you make sure that the snapshot does not contain sensitive data or files.
Make preparations based on the scenario in which you want to share a snapshot.
- If you want to share a snapshot with other Alibaba Cloud accounts, obtain the IDs of the accounts.
  To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the Alibaba Cloud account and move the pointer over the profile picture in the upper-right corner. If the account is tagged with Main Account, the account ID is an Alibaba Cloud account ID.
- To share a snapshot within your organization based on resource directories, you must enable resource directories by using management accounts or members. For more information, see Enable a resource directory.

Share a snapshot

Share a snapshot in the ECS console

A sharer shares a snapshot

(Conditionally required) Create a Resource Access Management (RAM) role and grant permissions to the role.
Before you can share a snapshot that is encrypted with a Key Management Service (KMS) key in your Alibaba Cloud account with other Alibaba Cloud accounts, you must grant the permissions to access the KMS key in your Alibaba Cloud account to the other Alibaba Cloud accounts. For more information, see the Share encrypted resources across accounts section of the "Encryption-related permissions" topic.
Log on to the ECS console and open the Add to Resource Share dialog box.
1. In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
2. In the top navigation bar, select the region and resource group to which the resource belongs.
3. Find the encrypted snapshot that you want to share and choose > Share Snapshot in the Actions column.
In the Add to Resource Share dialog box, configure the parameters.
1. In the Add to Resource Share dialog box, select a resource share that is created on the Shared By Me page in the Resource Management console.
  Note
  The Resources Sharing feature of Resource Management allows you to share snapshots with other Alibaba Cloud accounts. You can create resource shares to share your resources. A resource share consists of a resource owner, principals, and shared resources. Principals are the Alibaba Cloud accounts that are invited to use the resources of the resource owner. For more information about resource shares, see What is Resource Sharing?
2. In the Principals section, click Edit to add a principal.
  1. By default, the Principal Scope parameter is set to Objects Within Resource Directory. For more information, see the Methods used to share resources section of the "What is Resource Sharing?" topic.
  2. Enter the ID of the Alibaba Cloud account with which you want to share the snapshot and click Add.
3. Click OK.

A sharee uses a shared snapshot

The sharee must accept the invitation to use the shared snapshot from the sharer.

To accept the shared snapshot, the sharee performs the following steps:
1. Log on to the Resource Management console.
2. In the left-side navigation pane, choose Resource Sharing > Resources Shared To Me.
3. In the upper-left corner of the top navigation bar, select the region where the shared snapshot resides.
4. On the Shared To Me page, find the created resource share and click Accept in the Status column.
5. In the Accept Resource Sharing Invitation message, click Accept.
  After you accept the invitation, you can use the shared snapshot. The subsequent sharing invitations for shared resources added to the resource share are automatically accepted.
To view the shared snapshot, the sharee performs the following steps:
1. Log on to the ECS console.
2. In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
3. In the upper-left corner of the top navigation bar, select the region where the shared snapshot resides.
4. View the shared snapshot in the snapshot list on the Disk Snapshots tab.
  - Move the pointer over the icon. A tag in the following format appears: acs:ecs:sharedFrom:<UID of the account that shares the snapshot>:<Region in which the source snapshot resides>:<ID of the source snapshot>.
  - Check whether Shared Snapshot is displayed in the Creation Method column.
  - Move the pointer over the icon. Information such as the ID of the account that shares the snapshot and the ID of the source snapshot is displayed.
    You can also choose > View Shared Snapshot in the Actions column to view information about the shared snapshot in the Resource Management console.
Use the shared snapshot.
- If an unencrypted snapshot is shared, the sharee can perform the following operations by using the shared unencrypted snapshot:
  - Create a disk from the snapshot. For more information, see Create a disk from a snapshot.
  - Copy the snapshot. For more information, see Copy a snapshot.
- If an encrypted snapshot is shared, the sharee can perform the following operations by using the shared encrypted snapshot:
  - Create a disk from the snapshot and specify a different encryption key for the disk. For more information, see Create a disk from a snapshot.
  - Copy the snapshot and specify a different encryption key for the snapshot copy. For more information, see Copy a snapshot.

Share a snapshot by using SDKs

This section describes how to use an ECS SDK and a Resource Sharing SDK to share a snapshot across accounts and create a disk from the shared snapshot. In this example, SDKs for Java and an open source sample project are used.

Click snapshot sharing sample project to download the snapshot sharing sample project.
The project involves the following API operations:
- CreateResourceShare: The sharer creates a resource share to share a snapshot.
- ReceiveResourceShare: The sharee accepts the snapshot sharing invitation.
- UseResourceShare: The sharee uses the shared snapshot to create a disk.
Configure the sample project.
1. Configure SDK dependencies in the pom.xml file. For more information, see Install ECS SDK for Java.
```

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>resourcesharing20200110</artifactId>
  <version>${lastVersion}</version>
</dependency>

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>alibabacloud-ecs20140526</artifactId>
  <version>${lastVersion}</version>
</dependency>
```
  Note
  The SDK package is frequently updated. We recommend that you obtain the latest version of dependencies from the GitHub website. For more information, see Install and use ECS SDKs.
2. Add the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to your on-premises environment, and replace the values of the variables with your actual AccessKey ID and AccessKey secret.
3. Replace the values of other variables in the project with actual values, such as the ID of the snapshot that you want to share, the UID of the account with which you want to share the snapshot, and the category of the disk that you want to create.
Compile and run each Java code snippet.
Check the execution results in the corresponding console.
If you are the sharer of the snapshot, log on to the Resource Management console to view the created resource share. If you are the sharee of the snapshot, log on to the ECS console to view the snapshot that is shared with your account and the disk that is created from the snapshot.

Unshare a snapshot

If you no longer want to share a snapshot with another Alibaba Cloud account, you can unshare the snapshot.

Important

After a sharer unshares a snapshot, the following impacts are imposed on the sharee:

The sharee can no longer view the snapshot in the ECS console or by calling an API operation.
The disks that the sharee created from the snapshot can no longer be reset. If the snapshot is copied by the sharee across regions, the snapshot copies are not affected.

Log on to the ECS console and open the Add to Resource Share dialog box.
1. In the left-side navigation pane, choose Storage & Snapshots > Snapshots.
2. In the top navigation bar, select the region and resource group to which the resource belongs.
3. Find the encrypted snapshot that you want to unshare and choose > Share Snapshot in the Actions column.
Unshare the snapshot.
1. In the Add to Resource Share dialog box, select the resource share to which the snapshot is added.
2. In the Principals section, click Edit.
3. In the Added Principals section, click Remove in the Actions column corresponding to the sharee with which you want to unshare the snapshot.
4. Click OK.

References

If you no longer require a snapshot, we recommend that you delete the snapshot at the earliest opportunity to prevent unnecessary costs.