Resource Sharing allows you to share the resources of your Alibaba Cloud account with other accounts and access the resources shared by other accounts.
Scenarios
An enterprise may have multiple Alibaba Cloud accounts and use these accounts to subscribe to various services. In some cases, the enterprise needs to use one of the accounts to purchase resources of a specific type and wants to share these resources with other accounts. The enterprise can use the Resource Sharing service to perform this operation. The following descriptions provide details:
The enterprise can use the Resource Sharing service to directly share the resources within one Alibaba Cloud account with another Alibaba Cloud account.
If the enterprise uses a resource directory to manage all its Alibaba Cloud accounts, the enterprise can share resources based on the resource directory.
The enterprise can share the resources of a member in the resource directory with an Alibaba Cloud account that is not the management account or a member of the resource directory. For example, the enterprise can share the resources of a member in the resource directory with an account owned by a third-party organization for auditing.
The enterprise can share the resources of a member in the resource directory with all members in the resource directory, all members in a specific folder in the resource directory, or a specific member in the resource directory. For example, the enterprise can share a vSwitch in a virtual private cloud (VPC) of a member in the resource directory with all the members that are owned by a specific business line. This way, network connections are established among the members.
Benefits
Low costs: Resources are created in a centralized manner and shared with other accounts. This way, you do not need to repeatedly create resources in each account.
Centralized management: O&M and management are performed on shared resources in a centralized manner. This allows you to configure security policies and use the Cloud Config and ActionTrail services to audit and track configurations and operations in a centralized manner.
Improved sharing experience: Resources are shared based on the same sharing mechanism. You do not need to adapt to the different sharing operations of various resources.
Terms
Term | Description |
resource share | A resource share is an instance of the Resource Sharing service. It is also a resource and has a unique ID and an Alibaba Cloud Resource Name (ARN). A resource share consists of a resource owner, principals, and shared resources. |
resource owner | A resource owner initiates resource sharing and owns shared resources. |
principal | A principal is invited to use the resources of resource owners and has specific operation permissions on the shared resources. Note The operation permissions of each principal on the shared resources are determined by the Alibaba Cloud service to which the resources belong. For example, the operation permissions of principals on the shared vSwitches in a VPC are determined based on the VPC service. For more information, see Permissions related to VPC sharing. |
shared resource | A shared resource is a resource of an Alibaba Cloud service. For more information about the types of resources that can be shared, see Services that work with Resource Sharing. |
resource sharing | Resource sharing allows you to share your resources with all members in your resource directory, all members in a specific folder in your resource directory, or a specific member in your resource directory. For more information, see Enable resource sharing within a resource directory. |
Methods used to share resources
Method | Description | References |
Share resources with any account | A resource owner can share resources with any principal regardless of whether the resource owner or principal is the management account or a member of a resource directory.
| |
Share resources with objects in a resource directory | The management account or a member of a resource directory can share resources with all members in the resource directory, all members in a specific folder in the resource directory, or a specific member in the resource directory. |
Services that work with Resource Sharing
For more information, see Services that work with Resource Sharing.
Limits
Item | Upper limit | Adjustable |
Number of resource shares that can be created by using each account | 1,000 | |
Number of resources that can be shared with other accounts by using each account | 1,000 |
Differences between sharing of region-specific resources and sharing of global resources
Before you create a resource share in Resource Sharing, you must specify a region. You can use the Resource Sharing service to share region-specific or global resources. The following table describes the differences between sharing of region-specific resources and sharing of global resources.
Resource type | Difference |
Region-specific resource | Region-specific resources are resources that reside in a specific region. You must specify a region before you create a region-specific resource. If you want to share a region-specific resource, you must create a resource share in the region where the resource resides. For example, if you want to share a vSwitch that resides in the China (Hangzhou) region, you must create a resource share in the China (Hangzhou) region in the Resource Management console or by calling the related API operation. |
Global resource | Global resources are resources that can be accessed in all regions. You do not need to specify a region before you access a global resource or perform an operation on a global resource. If you want to share a global resource by using the Resource Sharing service, you can create a resource share only in the China (Shanghai) region. For example, ROS templates are global resources. If you want to share an ROS template by using the Resource Sharing service, you must create a resource share in the China (Shanghai) region. The limit on the region is exclusive to the Resource Sharing service and does not affect the shared resources. The ROS templates can still be accessed in all regions in the ROS console. |