You can share a custom image with other Alibaba Cloud accounts or within your enterprise organization in the same region. This allows you to quickly deploy consistent application environments without building the same image repeatedly.
Scope
-
Image sharing is limited to accounts within the same region.
-
You can only share custom images that you have created. You cannot re-share an image that another Alibaba Cloud account has shared with you.
-
You cannot share custom images created from Alibaba Cloud Marketplace images between Alibaba Cloud accounts on the china site and the international site.
Sharing methods
|
Sharing method |
Use cases |
Benefits |
Limitations and description |
|
Share with specified accounts |
Share an image with a small, fixed number of partners or individual accounts. |
Simple to use. |
You must manually manage the recipient account IDs. |
|
Share within an enterprise organization |
Use resource directory to dynamically share an image with the entire organization or with member accounts in specific resource folders. |
Permissions are automatically synchronized as members join or leave the organization, simplifying centralized management. |
This method uses the resource directory service to share resources. The Alibaba Cloud account that shares the image must meet one of the following conditions:
|
Before you begin
Before you share an image, perform the following checks to ensure data security and permission compliance.
-
Obtain recipient information:
-
Share with specified accounts: Obtain the recipient's Alibaba Cloud account ID in advance.
-
Share within an enterprise organization: Confirm that your enterprise organization uses resource directory and has resource sharing enabled.
-
-
Remove sensitive data from the image: To prevent data leaks, remove sensitive information from the image before sharing it. Best practice is to remove items such as shell history, SSH keys, network configurations, temporary files, and unnecessary access credentials before creating the image.
-
(Required for encrypted images) Authorize the sharing role: To share an encrypted image, you must create and authorize the
AliyunECSShareEncryptImageDefaultRolerole. For more information, see Share encrypted resources across accounts.
Procedure
Scenario 1: Share with a specified account
Console
-
Go to the ECS console - Images page, and select the resource group and region that contains your target image.
-
On the Custom Images tab, find the custom image that you want to share. In the Actions column, click Shared Images.
-
In the Share Image dialog box, configure the following parameters:
-
Enter the recipient's Alibaba Cloud account ID in the Sharee Account ID field.
-
Read the Security Confirmation, select the checkbox, and then click OK.
-
API
Call the Manage image sharing permissions API operation to share a custom image from your Alibaba Cloud account with another Alibaba Cloud account.
Scenario 2: Share within an organization
-
Go to the ECS console - Images page, and select the resource group and region that contains your target image.
-
On the Custom Images tab, find the custom image that you want to share. In the Actions column, click Shared Images.
-
For Sharee Type, click Shared Organization. You are redirected to the Resource Sharing console. Follow the instructions in Create a resource share to complete the sharing process. Select ECS image as the resource to share.
Only a management account or a member account within a resource directory can share resources within an organization. If you do not see the Shared Organization option, enable resource directory first.
To prevent data inconsistencies in the resource directory, do not share an image directly with an account if that account can already access it through resource directory.
Billing
Image sharing is free of charge. However, if a shared image originates from a paid image, the recipient is charged for the image when using it to create an ECS instance.
For example: Image A is a paid image. Alibaba Cloud Account A shares the image with Alibaba Cloud Account B. When Alibaba Cloud Account B uses the shared image to create an instance, Alibaba Cloud Account B is charged for the image in addition to the instance fees.
Limitations
-
The number of accounts you can share an image with is limited by a quota. Sharing an image does not consume the recipient's custom image quota. Go to Quota Center to view the Quota of Shared Users per Custom Image and request a quota increase.
-
ECS custom images cannot be shared for use with Simple Application Server. However, you can share a custom image created on a Simple Application Server to ECS.
FAQ
How do I view the recipients of a shared image?
Console
After an image is shared, on the Custom Images tab, hover over the 
icon for the image to view the Alibaba Cloud account IDs of the recipients.
API
Call the DescribeImageSharePermission API operation to query the accounts that a custom image is shared with.
How do I share an image across regions?
You must first copy a custom image to the destination region, and then share it from that region.
How do I delete a shared image?
You cannot delete an image while it is being shared. You must first unshare the image before you can delete it.
How do I find my Alibaba Cloud account ID?
In the upper-right corner of the console, hover over your profile picture. In the user information box that appears, if the account type is Alibaba Cloud Account, the ID shown is your Alibaba Cloud account ID.