Share gallery resources
As the Azure Compute Gallery, definition, and version are all resources, they can be shared using the built-in native Azure Roles-based Access Control (RBAC) roles. Using Azure RBAC roles you can share these resources to other users, service principals, and groups. You can even share access to individuals outside of the tenant they were created within. Once a user has access, they can use the gallery resources to deploy a VM or a Virtual Machine Scale Set. Here's the sharing matrix that helps understand what the user gets access to:
|Shared with User||Azure Compute Gallery||Image Definition||Image version|
|Azure Compute Gallery||Yes||Yes||Yes|
We recommend sharing at the Gallery level for the best experience. We don't recommend sharing individual image versions. For more information about Azure RBAC, see Assign Azure roles.
There are three main ways to share images in an Azure Compute Gallery, depending on who you want to share with:
|Sharing with:||People||Groups||Service Principal||All users in a specific subscription (or) tenant||Publicly with all users in Azure|
|RBAC + Direct shared gallery||Yes||Yes||Yes||Yes||No|
|RBAC + Community gallery||Yes||Yes||Yes||No||Yes|
You can also create an App registration to share images between tenants.
Share using RBAC
When you share a gallery using RBAC, you need to provide the
imageID to anyone creating a VM or scale set from the image. There is no way for the person deploying the VM or scale set to list the images that were shared to them using RBAC.
If you share gallery resources to someone outside of your Azure tenant, they will need your
tenantID to log in and have Azure verify they have access to the resource before they can use it within their own tenant. You will need to provide them with your
tenantID, there is no way for someone outside your organization to query for your
RBAC sharing can be used to share resources with users within the organization (or) users outside the organization (cross-tenant). Here are the instructions to consume an image shared with RBAC and create VM/VMSS:
RBAC - Shared within your organization
- On the page for your gallery, in the menu on the left, select Access control (IAM).
- Under Add a role assignment, select Add. The Add a role assignment pane will open.
- Under Role, select Reader.
- Under assign access to, leave the default of Azure AD user, group, or service principal.
- Under Select, type in the email address of the person that you would like to invite.
- If the user is outside of your organization, you'll see the message This user will be sent an email that enables them to collaborate with Microsoft. Select the user with the email address and then click Save.
- Create an image definition and an image version.
- Create a VM from a generalized or specialized image in a gallery.
Submit and view feedback for