Share a snapshot with other Alibaba Cloud accounts - Elastic Compute Service

Sharers can share snapshots with other Alibaba Cloud accounts or within an organization by using resource directories. Sharees can use shared snapshots to quickly create cloud disks for cross-account cooperation or intra-enterprise resource sharing. This topic describes how to share and unshare a snapshot and related considerations.

Scenarios

Cross-account data sharing
Snapshots can be shared to different Alibaba Cloud accounts or different departments within an enterprise to quickly create cloud disks to share data.
Batch application deployment
Snapshots can be shared to deploy the same applications in different Alibaba Cloud accounts to ensure the identical initialization status on all instances and rapidly build the same business system in each sharee Alibaba Cloud account. This reduces the repetitive configurations and ensures configuration consistency among instances.

Considerations

The following table describes the considerations before you share a snapshot.

Consideration	Description
Fees	Snapshots can be shared free of charge. Sharees are charged when they use shared snapshots to create cloud disks and copy snapshots across regions. If the shared snapshots expire and are not unshared, the system cannot automatically release the snapshots. Consequently, the snapshots are retained, and their billing continues.
Quotas	You can share a snapshot with up to 64 Alibaba Cloud accounts. Each Alibaba Cloud account can share up to 1,024 snapshots.
Limits on accounts	You cannot share snapshots between accounts on the China site and accounts on the international site.
Other limits	Sharers Cannot directly delete shared snapshots. Before you delete a shared snapshot, you must unshare it. Cannot share the snapshots that are created from imported custom images. Cannot share the snapshots that are encrypted using service keys. Note If you want to share a snapshot that is encrypted using a service key, copy the snapshot and select a customer master key (CMK) to encrypt the snapshot copy. Then, you can share the encrypted snapshot copy. For information about the encryption keys of Elastic Compute Service (ECS) resources, see the Encryption keys section of the "Encrypt cloud disks" topic. Sharees Cannot use shared snapshots to create custom images. Cannot use shared snapshots to roll back cloud disks, because the shared snapshot ID differs from the source snapshot ID. Cannot directly delete shared snapshots. Before you delete a shared snapshot, you must unshare it. Cannot archive shared snapshots. Cannot re-share the snapshots that are shared with you. Note If you want to reshare a snapshot that is shared with your account, perform one of the following operations: Create a cloud disk from the snapshot, attach the disk to an ECS instance, create a snapshot of the new disk, and then share the new snapshot. Copy the snapshot and share the snapshot copy. Cannot extend the retention period of snapshots that are shared with your account. Note If a source snapshot is permanently retained, the retention period of each shared snapshot is 1,095 days. If a source snapshot is retained for a user-defined period of time, each shared snapshot has the same retention period as the source snapshot.

Preparations

Before you share a snapshot, make sure that the snapshot does not contain sensitive data or files.
Make preparations based on the scenario in which you want to share a snapshot.
- If you want to share a snapshot with other Alibaba Cloud accounts, obtain the IDs of the accounts.
  To obtain the ID of an Alibaba Cloud account, log on to the Alibaba Cloud Management Console with the Alibaba Cloud account and move the pointer over the profile picture in the upper-right corner. If the account has the Main Account tag, the account ID is an Alibaba Cloud account ID.
- To share a snapshot within your organization by using resource directories, ensure that your Alibaba Cloud account meets the following requirements:
  - You do not enable the resource directory feature and belong to an existing resource directory as a member.
  - You pass enterprise verification, enable the resource directory feature, and then enable resource sharing.
If you want to share the snapshots that are encrypted using CMKs, create the AliyunECSShareEncryptSnapshotDefaultRole Resource Access Management (RAM) role and grant the RAM role the required permissions. For more information, see Share encrypted resources across accounts.

Share a snapshot

ECS console

Step 1: The sharer shares a snapshot

Open the Add to Resource Share dialog box.
1. Go to ECS console - Snapshots.
2. In the top navigation bar, select the region and resource group of the resource that you want to manage.
3. On the Disk Snapshots tab, find the snapshot that you want to share and choose > Share Snapshot in the Actions column.
In the Add to Resource Share dialog box, configure the parameters.
1. Set Method to Existing Resource Share or New Resource Share as needed.
  Note
  The resources sharing feature of Resource Management allows you to share snapshots with other Alibaba Cloud accounts. You can create resource shares to share your resources. A resource share consists of a resource owner, principals, and shared resources. The principals are the Alibaba Cloud accounts that are invited to use the resources of the resource owner.
2. (Conditionally required) Specify the Principal Scope parameter. This parameter is available only when Method is set to New Resource Share.
  - All Accounts: You can share snapshots to any sharee.
  - Objects Within Resource Directory: You can share snapshots only within the specified resource directory. The owner or member of a resource directory can share snapshots only to the folders or members of the resource directory.
3. In the Add Principals section, specify parameters of the sharees and click OK.
  - Scenario 1: Share snapshots with other Alibaba Cloud accounts
    Set Principal Type to Cloud Account and Principal ID to the Alibaba Cloud account ID of the sharee.
    Note
    If Method is set to Existing Resource Share, you can select the Alibaba Cloud account IDs only within the specified resource directory.
    If you want to share snapshots with multiple Alibaba Cloud accounts, add them one by one.
  - Scenario 2: Share snapshots within an organization based on the resource directory.
    - If you (the sharer) do not enable the resource directory feature and belong to a resource directory as members, in the Add Principals dialog box, set Principal Type to Resource Directory or Folder (Organization Unit). For the later, you also need to enter the folder ID.
    - If the resource directory feature is enabled for your Alibaba Cloud account (sharer), in the Add Principals dialog box, select the resource directory and folders based on your business requirements.
    Note
    You can also log on to the Resource Management console to share snapshots based on the resource directory. For more information, see Operations of resource owners.
    If you want to share snapshots to the resource directory or folder, all Alibaba Cloud accounts in the resource directory or folder can access the shared snapshots. If new accounts are added to the resource directory or folder, the system automatically shares the snapshots to the accounts. If accounts are removed from the resource directory or folder, the system automatically unshares the snapshots from the accounts.
4. Click OK.

Step 2: A sharee uses a shared snapshot

The sharee must accept the invitation to use the shared snapshot from the sharer.

(Conditionally required) The first time the sharee selects an existing or new resource share, to accept the invitation to use the shared snapshot, the sharee must perform the following steps:
1. Log on to the Resource Management console.
2. In the left-side navigation pane, choose Resource Sharing > Resources Shared To Me.
3. In the upper-left corner of the top navigation bar, select the region in which the shared snapshot resides.
4. On the Shared To Me page, find the resource share and click Accept in the Status column.
5. In the Accept Resource Sharing Invitation message, click Accept.
  After you accept the invitation, you can use the shared snapshot. Subsequent sharing invitations for shared resources added to the resource share are automatically accepted.
To view the shared snapshot, the sharee must perform the following steps:
1. Go to ECS console - Snapshots.
2. In the upper-left corner of the top navigation bar, select the region in which the shared snapshot resides.
3. View the shared snapshot in the snapshot list on the Disk Snapshots tab.
  - Move the pointer over the icon. A tag in the following format appears: acs:ecs:sharedFrom:<UID of the account that shares the snapshot>:<Region in which the source snapshot resides>:<ID of the source snapshot>.
  - Check whether Shared Snapshot is displayed in the Creation Method column.
  - Move the pointer over the icon. Information, such as the UID of the account that shared the snapshot and the ID of the source snapshot, is displayed.
    You can also choose > View Shared Snapshot in the Actions column to view information about the shared snapshot in the Resource Management console.
(Optional)Create a data disk from a shared snapshot or copy a shared snapshot.
Note
- If you use shared encrypted snapshots to create cloud disks or copy the shared snapshots , specify a different encryption key.
- You can use shared encrypted snapshots to create only Enterprise SSD (ESSD) series disks, such as ESSDs, ESSD AutoPL disks, or ESSD Entry disks. To create cloud disks of other categories, copy the snapshot and use the snapshot copy to create the disks.

SDKs

This section describes how to use an ECS SDK and a Resource Sharing SDK to share a snapshot across Alibaba Cloud accounts and create a cloud disk from the shared snapshot. In this example, the SDKs for Java and an open source sample project are used.

Click snapshot sharing sample project to download the snapshot sharing sample project.
The project involves the following API operations:
- CreateResourceShare: The sharer creates a resource share to share a snapshot.
- ReceiveResourceShare: The sharee accepts the snapshot sharing invitation.
- UseResourceShare: The sharee uses the shared snapshot to create a disk.
Configure the sample project.
1. Configure SDK dependencies in the pom.xml file. For more information, see Use SDK for Java.
```

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>resourcesharing20200110</artifactId>
  <version>${lastVersion}</version>
</dependency>

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>alibabacloud-ecs20140526</artifactId>
  <version>${lastVersion}</version>
</dependency>
```
  Note
  SDK packages are frequently updated. We recommend that you obtain the latest version of dependencies from the official GitHub website. For more information, see SDK overview.
2. Add the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to your on-premises environment, and replace the values of the variables with your actual AccessKey ID and AccessKey secret.
3. Replace the values of other variables in the project with actual values, such as the ID of the snapshot that you want to share, the UID of the account with which you want to share the snapshot, and the category of the disk that you want to create.
Compile and run each Java code snippet.
Check the execution results in the corresponding console.
If you are the sharer of the snapshot, log on to the Resource Management console to view the created resource share. If you are the sharee of the snapshot, log on to the ECS console to view the snapshot that is shared with your account and the disk that is created from the snapshot.

Unshare a snapshot

If you (sharer) no longer want to share a snapshot with Alibaba Cloud accounts, you can unshare the snapshot.

Considerations

After the sharer unshares a snapshot, the following impacts are imposed on the sharees:

The sharees can no longer view the snapshot in the ECS console or by calling an API operation.
The sharees can no longer re-initialize the cloud disks created from the shared snapshot.
The copies of the shared snapshot are not affected.

Procedure

Open the Add to Resource Share dialog box.
1. Go to ECS console - Snapshots.
2. In the top navigation bar, select the region and resource group of the resource that you want to manage.
3. On the Disk Snapshots tab, find the snapshot that you want to unshare and choose > Share Snapshot in the Actions column.
Unshare a snapshot.
1. In the Add to Resource Share dialog box, select the resource share to which the snapshot is added.
2. In the Principals section, click Edit.
3. In the Added Principals section, click Remove in the Actions column corresponding to the sharee from whom you want to unshare the snapshot.
4. Click OK.