Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Because a gallery, definition, and version are all resources in Azure Compute Gallery, you can share them by using the built-in Azure role-based access control (RBAC) roles. By using Azure RBAC roles, you can share these resources with other users, service principals, and groups. You can even share access with individuals outside the tenant where they were created.
After users have access, they can use the gallery resources to deploy a virtual machine (VM) or a virtual machine scale set. Here's a sharing matrix that can help you understand what the users get access to:
| Shared with users | Gallery | Image definition | Image version |
|---|---|---|---|
| Gallery | Yes | Yes | Yes |
| Image definition | No | Yes | Yes |
We recommend sharing at the gallery level for the best experience. We don't recommend sharing individual image versions. For more information about Azure RBAC, see Assign Azure roles.
There are three main ways to share images in Compute Gallery, depending on which users you want to share with:
| Sharing with: | People | Groups | Service principal | All users in a specific subscription or tenant | Publicly with all users in Azure |
|---|---|---|---|---|---|
| RBAC sharing | Yes | Yes | Yes | No | No |
| RBAC + direct shared gallery | Yes | Yes | Yes | Yes | No |
| RBAC + community gallery | Yes | Yes | Yes | No | Yes |
You can also create an app registration to share images between tenants.
Note
You can use images with read permissions on them to deploy virtual machines and disks.
When you use a direct shared gallery, images are distributed widely to all users in a subscription or tenant. A community gallery distributes images publicly. When you share images that contain intellectual property, use caution to prevent widespread distribution.
Share by using RBAC
When you share a gallery by using RBAC, you need to provide the imageID value to anyone who creates a VM or scale set from the image. The person who's deploying the VM or scale set can't list the images that were shared with them via RBAC.
If you share gallery resources with someone outside your Azure tenant, they need your tenantID value to sign in and have Azure verify that they have access to the resource before they can use it within their own tenant. You need to provide the tenantID value. There is no way for someone outside your organization to query for this value.
For instructions on consuming an image shared via RBAC and creating a VM or a scale set, see:
Sign in to the Azure portal.
On the page for your gallery, on the left menu, select Access control (IAM).
Under Add, select Add role assignment. The Add role assignment pane opens.
Under Role, select Reader.
On the Members tab, ensure that the user is selected. For Assign access to, keep the default of User, group, or service principal.
Choose Select members. On the pane that opens, choose a user account.
If the user is outside your organization, the following message appears: This user will be sent an email that enables them to collaborate with Microsoft. Select the user with the email address, and then select Save.
Related content
- Create an image definition and an image version.
- Create a VM from a generalized or specialized image in a gallery.