Share a custom image to deploy ECS instances across accounts in the same region - Elastic Compute Service

You can use shared images to create Elastic Compute Service (ECS) instances across multiple Alibaba Cloud accounts in the same region. After you create a custom image, you can share the custom image with other Alibaba Cloud accounts or within your organization based on resource directories or folders. This way, the sharees can use the shared image to create identical ECS instances. This topic describes how to share a custom image and the considerations that you must take note of when you share the image.

Scenarios

Scenario 1: You want to share images in your Alibaba Cloud account with one or more Alibaba Cloud accounts.
Scenario 2: When you use Alibaba Cloud services, you use a resource directory to manage all Alibaba Cloud accounts of your organization. You want to share the images of a member in the resource directory with all members in the resource directory or with all members in a specific folder in the resource directory.
If you share images in Scenario 2, all accounts in the resource directory or folder have access to the shared images. Accounts that are subsequently added to the resource directory or folder also have access to the shared images. Accounts that are removed from the resource directory or folder lose access to the shared images. For more information, see Resource Sharing overview.
Note
Resource Directory is a service that you can use to manage relationships among a number of accounts and resources. Resource Directory allows you to quickly establish an organizational structure based on your business requirements and consolidate the accounts of your organization into the structure to create a hierarchy for the resources of your organization. For more information, see Resource Directory overview.
If you shared a custom image with all members in a resource directory or with all members in a specific folder in the resource directory, we recommend that you do not reshare the custom image in the manner described in Scenario 1. This prevents inconsistencies of the shared image data in resource directories.

Considerations

Before you share a custom image, take note of the items described in the following table.

Item	Description
Fees	You are not charged for sharing custom images.
Regions	You can share custom images across accounts only within the same region. If you want to share a custom image across regions, copy the image to the destination region and share the image copy, or share the image and copy the shared image to the destination region. For more information, see Copy a custom image. You can share encrypted custom images only in the China (Beijing), China (Shanghai), China (Hong Kong), and Singapore regions.
Limits	You can share custom images that are created in your account. You cannot share custom images that are created and shared by other accounts. ECS imposes limits on the number of users with which you can share a custom image. In the Quota Center console, you can view and change the Quota of users that can be shared per custom image on the General Quotas page for ECS. For more information, see Manage ECS quotas. Images cannot be shared between accounts on the China site and accounts on the international site. You cannot share ECS custom images for use on simple application servers. You can share custom images created from simple application servers for use on ECS instances. For more information, see Share an image to ECS.

Preparations

Before you share a custom image, make sure that all sensitive data and files are removed from the image.
When you share a custom image in different scenarios, take note of the following items:
- To share a custom image with other Alibaba Cloud accounts, you must obtain the IDs of the accounts.
  To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the account and move the pointer over the profile picture in the upper-right corner. If the Main Account tag is added to the Alibaba Cloud account, the account ID is an Alibaba Cloud account ID.
- To share a custom image within your organization based on resource directories or folders, you must enable the resource directories by using the management account or members. For more information, see Enable a resource directory.

Procedure

Share an unencrypted custom image

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Images.
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Custom Images tab, find the unencrypted custom image that you want to share and click Share Image in the Actions column.
In the Share Image dialog box, configure the parameters based on your business requirements.
- Share the unencrypted custom image with other Alibaba Cloud accounts
  1. Enter the IDs of the Alibaba Cloud accounts in the Shared Account ID field.
  2. For the Security Confirmation parameter, select After you share the image with accounts, the accounts can obtain the data of the image. To ensure data security, confirm that you want to share the image with the accounts.
  3. Click Confirm.
- Share the unencrypted custom image within your organization based on resource directories or folders
  1. To the right of the Sharee Type parameter, click Shared Organization.
    Note
    Only the management account or members that enabled a resource directory can share resources within an organization. If Shared Organization is not displayed, you must enable a resource directory. For more information, see Enable a resource directory.
  2. Go to the Resource Management console to complete the sharing operation. For more information, see Create a resource share.
    Note
    In the Resources section of the Create Resource Share page, set the resource type to ECS Image.
After you share the unencrypted custom image, find the image and move the pointer over the icon corresponding to the image to view the Alibaba Cloud accounts with which the image is shared.

Share an encrypted custom image

Step 1: Create a RAM role and grant permissions to the RAM role

If you want to share an encrypted custom image, create a RAM role named AliyunECSShareEncryptImageDefaultRole in the RAM console and attach a policy to grant the required permissions to the RAM role. Then, you can share the encrypted custom image with other Alibaba Cloud accounts or within your organization based on the resource directory or folder.

Log on to the RAM console with an Alibaba Cloud account from which you want to share an encrypted custom image.
On the Policies page, find or create a policy.
- If the custom image that you want to share is encrypted by using the default service customer master key (CMK), find the AliyunKMSFullAccess system policy. To view the content of the system policy, see AliyunKMSFullAccess.
- If the custom image that you want to share is encrypted by using a custom CMK that you created in Key Management Service (KMS), click Create Policy on the Policies page and click the JSON tab to create a custom policy that grants the minimum permissions on the custom CMK. For more information, see the Create a custom policy on the JSON tab section of the "Create custom policies" topic.
  The following sample code provides an example policy that grants only the permissions on the CMK associated with the encrypted custom image that you want to share:
```
{
  "Version": "1",
  "Statement": [
    {
      "Action": "kms:List*",
      "Resource": "acs:kms:<ID of the region in which the CMK resides>:<ID of the Alibaba Cloud account to which the CMK belongs>:key",
      "Effect": "Allow"
    },
    {
      "Action": [
        "kms:DescribeKey",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": "acs:kms:<ID of the region in which the CMK resides>:<ID of the Alibaba Cloud account to which the CMK belongs>:key/<ID of the CMK associated with the image>",
      "Effect": "Allow"
    }
  ]
}
```
  Note
  You must replace the <ID of the region in which the CMK resides>, <ID of the Alibaba Cloud account to which the CMK belongs>, and <ID of the CMK associated with the image> variables with actual values.
On the Roles page, create a RAM role named AliyunECSShareEncryptImageDefaultRole for a trusted Alibaba Cloud account.
For more information, see Create a RAM role for a trusted Alibaba Cloud account.
On the Roles page, click the AliyunECSShareEncryptImageDefaultRole role that you created to go to the role details page.
- On the Permissions tab, click Grant Permission to attach the policy that you found or created in Step 2 to the RAM role. For more information, see the Method 2: Grant permissions to a RAM role by clicking Precise Permission on the Roles page section of the "Grant permissions to a RAM role" topic.
- On the Trust Policy tab, click Edit Trust Policy and specify the sharees with which you want to share the encrypted custom image. For more information, see Edit the trust policy of a RAM role.
  - If you want to share the encrypted custom image with an Alibaba Cloud account, replace the default trust policy with the following policy:
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "<UID>@ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}
```
    Note
    In the replacement policy, replace <UID> with the ID of the Alibaba Cloud account with which to share the encrypted custom image. If you want to share the encrypted custom image with multiple Alibaba Cloud accounts, you must specify the IDs of the Alibaba Cloud accounts with which to share the image.
  - If you want to share the encrypted custom image within your organization based on resource directories, replace the default trust policy based on the scenario.
    - Scenario 1: If you want to share the encrypted custom image with all members in a resource directory, replace the default trust policy with the following policy in which the ID of the resource directory is specified:
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "*@ecs.aliyuncs.com"
      },
      "Condition": {
        "StringEquals": {
          "sts:ServiceOwnerRDId": "<ID of the resource directory>"
        }
      }
    }
  ],
  "Version": "1"
}
```
      Note
      In the replacement policy, replace <ID of the resource directory> with the ID of the resource directory of the sharees. For information about how to view the ID of a resource directory, see View the basic information about a resource directory.
    - Scenario 2: If you want to share the encrypted custom image with all members in a specific folder in a resource directory, replace the default trust policy with the following policy in which the resource directory path of the folder is specified in the <Resource directory ID>/<Root folder ID>/.../<Current folder ID*> format:
```
{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": "*@ecs.aliyuncs.com"
      },
      "Condition": {
        "StringLike": {
          "sts:ServiceOwnerRDPath": "<ID of the resource directory>/<Root folder ID>/.../<Current folder ID*>"
        }
      }
    }
  ],
  "Version": "1"
}
```
      Note
      In the replacement policy, replace <ID of the resource directory>, <Root folder ID>, and <Current folder ID> with actual values. For information about how to view the resource directory path of a folder, see View the basic information of a folder.

Step 2: Share the encrypted custom image

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Images.
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Custom Images tab, find the custom image that you want to share and click Share Image in the Actions column.
In the Share Image dialog box, configure the parameters based on your business requirements.
- Share the unencrypted custom image with other Alibaba Cloud accounts
  1. Enter the IDs of the Alibaba Cloud accounts in the Shared Account ID field.
  2. For the Security Confirmation parameter, select After you share the image with accounts, the accounts can obtain the data of the image. To ensure data security, confirm that you want to share the image with the accounts.
  3. Click Confirm.
- Share the unencrypted custom image within your organization based on resource directories or folders
  1. To the right of the Sharee Type parameter, click Shared Organization.
    Note
    Only the management account or members that enabled a resource directory can share resources within an organization. If Shared Organization is not displayed, you must enable a resource directory. For more information, see Enable a resource directory.
  2. Go to the Resource Management console to complete the sharing operation. For more information, see Create a resource share.
    Note
    In the Resources section of the Create Resource Share page, set the resource type to ECS Image.
After you share the unencrypted custom image, find the image and move the pointer over the icon corresponding to the image to view the Alibaba Cloud accounts with which the image is shared.