Sharing images and snapshots

You can share images and snapshots with users outside of your project or organization. Users with read access to those resources can use them to complete operations in other projects and organizations. For example, if you grant a user read access to an image or snapshot in your project, they can use those resources to create persistent disks in their own projects. Use IAM roles to share read access to your images and snapshots.

In some situations, you want those authorized users to have access to these storage resources only when they use those resources within your organization or certain projects. To limit the projects where users can use your images, and snapshots to create resources, set the storage resource usage constraint as an organization policy.

To learn more about IAM roles, read the IAM documentation.

To learn about resource-level IAM policies, which let you grant access to specific resources such as images instead of to a whole project, see Granting access to Compute Engine resources.

Before you begin

Limitations

Sharing storage resources has the following restrictions:

  • You can grant roles to allAuthenticatedUsers to allow access to images or snapshots, but you can't grant roles to allow access to these resources with allUsers.

  • You can set the constraints/compute.storageResourceUseRestrictions constraint only at the organization level.

  • You must use the Compute Engine API to create images or snapshots from resources outside of your project. For example, you can reference images and snapshots in remote projects when you run methods that require you to specify a path to an image or snapshot. Some examples of these methods are:

Sharing storage resources across projects and organizations

You can share access to images and snapshots with other users by granting them the following IAM roles or permissions at the resource, project, folder, or organization level.

  • Images: The roles/compute.imageUser role or the compute.images.useReadOnly permission.
  • Snapshots: The roles/compute.storageAdmin role or the compute.snapshots.useReadOnly permission.

These roles and permissions allow you to share images and snapshots with other team members outside of the project that owns the images and snapshots. For example, your company might have a specific project with qualified images that the rest of your company can use. You can grant the roles/compute.imageUser role at the project level to your team members, which allows these team members to use these images in their own projects.

To grant the image sharing role, use the Google Cloud Console, the gcloud command-line tool, or the API. To learn how to use IAM, read the IAM documentation.

Console

  1. Go to the IAM page in the Cloud Console.

    Go to the IAM page

  2. If prompted, select your project.
  3. If you are adding a new user:
    1. Click Add at the top of the page.
    2. Provide one or more email address of the account to which you want to grant access.
    3. Grant one or more roles to the member.
      • Images: Select Compute Engine > Compute Image User from the role selector.
      • Snapshots: Select Compute Engine > Compute Storage Admin from the role selector.
  4. Save your changes.

gcloud

Using the gcloud command-line tool, add a binding to the Cloud IAM policy for the image or the image project. The following example adds a binding to the project.

gcloud projects add-iam-policy-binding [PROJECT_ID] \
    --member [MEMBER_TYPE]:[ACCOUNT] --role [ROLE]

where:

  • [PROJECT_ID] is the ID of the project containing images you want to share.
  • [MEMBER_TYPE] is the type of account you are granting access to. For example, use user for individual users, serviceAccount for a service account, and group for a Google group.
  • [ACCOUNT] is the email address of the account to which to grant this role. For example, for a service account, this might be my-sa@my-project-123.iam.gserviceaccount.com.
  • [ROLE] is the role that you want to grant to the user. For images, specify roles/compute.imageUser. For snapshots, specify roles/compute.storageAdmin.

For example, the following grants the roles/compute.imageUser role to john@example.com so that they can access images in a project named database-images:

gcloud projects add-iam-policy-binding database-images \
    --member user:john@example.com --role roles/compute.imageUser

API

In the API, make a POST request to the following URL, where [PROJECT_ID] is the ID of the project containing the images you want to share.

POST https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_ID]:setIamPolicy

The request body should contain the list of bindings you want to apply to this project. The role should be part of the binding. For example:

{
   "policy": {
       "version": "0",
       "bindings": [
       {
           "role": "roles/compute.admin",
           "members": [
               "user:example@gmail.com"
           ]
       },
       {
           "role": "roles/compute.imageUser",
           "members": [
               "user:john@gmail.com"
           ]
       }
       ]
   }

}

Granting a managed instance group access to images

Compute Engine allows you to create groups of instances, either as managed or unmanaged instance groups. If you create a managed instance group, Compute Engine uses the Google APIs service account to call the Compute Engine API and perform relevant actions related to the group, such as recreating unhealthy instances and updating instances. If you want to create a managed instance group using an image from another project, you can grant the compute.imageUser role to the APIs service account belonging to the project creating the managed instance group.

For example, assume that Project A wants to create managed instance groups using images owned by Project B. The owner of Project B must grant the Google APIs service account of Project A the compute.imageUser role on Project B. This grants the account the ability to use the images from Project B to create managed instance groups in Project A.

After granting the compute.imageUser role, you can provide the URL of the specific image when you create the instance template for the group.

Follow these steps to get the service account email and grant the account access:

  1. Go to the IAM page in the Cloud Console of the project from which you want to create managed instance groups.

    Go to the IAM page

  2. If prompted, select your project from the list.

  3. Look for the Google APIs service account, which has the email address in the following format:

    [PROJECT_NUMBER]@cloudservices.gserviceaccount.com

  4. Make note of the email address above. Next, grant the account access to the project that owns the images.

    Console

    1. While still in the Google Cloud Console, go to the IAM page of the project that contains the images you want access to.

      Go to the IAM page

    2. Select the project from the project list.
    3. Click the Add button to add a new member.
    4. In the Members box, enter the email address of the service account.
    5. Expand the Roles drop-down list, and select Compute Engine > Compute Image User (beta).
    6. Click Add to add the account.

    gcloud

    Using the gcloud command-line tool, add a binding to the Cloud IAM policy for the image or image project. The following example adds a binding at the project level.

    gcloud projects add-iam-policy-binding [PROJECT_ID] \
    --member serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/compute.imageUser

    where:

    • [PROJECT_ID] is the ID of the project containing images you want to share.
    • [SERVICE_ACCOUNT_EMAIL] is the email of the service account.

    For example:

    gcloud projects add-iam-policy-binding database-images \
    --member serviceAccount:123456789012@cloudservices.gserviceaccount.com  \
    --role roles/compute.imageUser

    API

    In the API, make a POST request to the following URL, where [PROJECT_ID] is the ID of the project containing the images you want to share.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/$[PROJECT_ID]:setIamPolicy

    The request body should contain the list of bindings you want to apply to this project. The roles/compute.imageUser role should be part of the binding. For example:

    {
   "policy": {
       "version": "0",
       "bindings": [
       {
           "role": "roles/owner",
           "members": [
               "user:example@gmail.com"
           ]
       },
       {
           "role": "roles/compute.imageUser",
           "members": [
               "serviceAccount:123456789012@cloudservices.gservbiceaccount.com"
           ]
       }
       ]
   }
}

Restricting use of your shared images and snapshots

After you have shared images and snapshots with other users, you can control where those users employ those resources. Set the constraints/compute.storageResourceUseRestrictions constraint to define the projects where users are permitted to use your storage resources.

You must have permission to modify your organization's policies to set these constraints. For example, the resourcemanager.organizationAdmin role has permission to set these constraints.

  1. Find the organization ID for your organization.

    gcloud organizations list

  2. Get the existing policy settings for your organization.

    gcloud beta resource-manager org-policies describe \
    compute.storageResourceUseRestrictions \
    --organization [ORGANIZATION_ID] > org-policy.yaml

    where [ORGANIZATION_ID] is your organization ID.

  3. Open the org-policy.yaml file in a text editor and modify the compute.storageResourceUseRestrictions constraint. Add the restrictions that you need or remove the restrictions that you no longer require. When you have finished editing the file, save your changes. For example, you might set the following constraint entry in your policy file:

    constraint: compute.storageResourceUseRestrictions
listPolicy:
  allowedValues:
    - under:organization/[ORGANIZATION_ID]

  4. Apply the policy.yaml file to your organization.

    gcloud beta resource-manager org-policies set-policy
--organization [ORGANIZATION_ID] org-policy.yaml

    where [ORGANIZATION_ID] is your organization ID.

When you have finished configuring the constraints in your organization policy, test those constraints to ensure that they create the restrictions that you need.

Using images from another project

If someone has granted you the compute.imageUser role, you can access the images in the project by specifying the image project in your requests. For example, to get a list of images available to you:

gcloud compute images list --project [IMAGE_PROJECT_ID]

To learn how to use an image to create new resources, such as creating an instance, read Creating and starting an instance.

For example, the following command creates an instance using an image called database-image-a from project database-images:

gcloud compute instances create test-instance --image database-image-a --image-project database-images

Similarly, you can use the image to create persistent disks. For information about creating a disk from an image, see Creating a standalone root persistent disk.

Using snapshots from another project

If someone has granted you the compute.snapshots.useReadOnly role for a snapshot in a specific project, you can access that snapshot by specifying the project ID in your requests. If someone has granted you the compute.storageAdmin role in a specific project, you can access the snapshots in that project by specifying the project ID in your requests. For example, to get a list of snapshots available to you in the project [SNAPSHOT_PROJECT_ID]:

gcloud compute snapshots list --project [SNAPSHOT_PROJECT_ID]

Share snapshots with users in other projects to move disk data across projects.

For example, to move the data from the disk disk-1 in project-a to a new disk disk-2 in project-b, use the following steps. In this example, disk-1 is located in zone us-west2-a and instance-1 is located in zone us-west2-b.

gcloud

  1. Create a snapshot of disk-1:

    gcloud --project project-a compute disks snapshot disk-1 --snapshot-names snapshot-1

  2. Create a new disk in project-b that is based on the snapshot:

    gcloud --project project-b beta compute disks create disk-2 --source-snapshot projects/project-a/global/snapshots/snapshot-1

  3. Attach the new disk to the instance instance-1 in project-b. The disk must be in the same zone as the instance:

    gcloud --project project-b compute instances attach-disk instance-1 --disk disk-2

  4. Mount the disk. See steps steps 5-7 of Formatting and mounting a persistent disk.

API

  1. Create a snapshot of disk-1 by making a POST request to the disks.createSnapshot method.

    POST https://compute.googleapis.com/compute/v1/projects/project-a/zones/us-west2-a/disks/disk-1/createSnapshot

{
 "name": "snapshot-1"
}

  2. Create a new disk disk-2 in project-b that is based on the snapshot. Construct a POST request to create a zonal persistent disk using the disks.insert method.

    POST https://compute.googleapis.com/compute/v1/projects/project-b/zones/us-west2-b/disks

{
 "name": "disk-2",
 "sizeGb": [DISK_SIZE],
 "type": "zones/us-west2-b/diskTypes/[DISK_TYPE]"
 "sourceSnapshot": "projects/project-a/global/snapshots/snapshot-1"
}

    where:

    • [DISK_SIZE] is the size of the new disk in GB.
    • [DISK_TYPE] is the type of persistent disk. Either pd-standard or pd-ssd.

  3. Attach the new disk to the instance instance-1 in project-b. The disk must be in the same zone as the instance. Construct a POST request to the instances.attachDisk method, and include the URL to the zonal persistent disk that you just created.

    POST https://compute.googleapis.com/compute/v1/projects/project-b/zones/us-west2-b/instances/instance-1/attachDisk

{
 "source": "/compute/v1/projects/project-b/zones/us-west2-b/disks/disk-2"
}

  4. Mount the disk. See steps steps 5-7 of Formatting and mounting a persistent disk.

What's next

Oliko tästä sivusta apua? Kerro mielipiteesi

Palautteen aihe:

Tämä sivu
Dokumentaatio
Compute Engine Documentation
Tuote