All Products
Search
Document Center

Simple Log Service:Create a scheduled SQL job with a custom RAM role

Last Updated:Jun 20, 2026

Simple Log Service lets you use the default role AliyunLogETLRole or a custom RAM role to create a scheduled SQL job. This topic shows you how to grant permissions to a custom RAM role to analyze logs in a source logstore and write data to a destination logstore.

Grant analysis permissions for the source logstore

  1. Log on to the RAM console using the Alibaba Cloud account that contains the source logstore, or as a RAM administrator for that account.

  2. Create a RAM role. For example, name the role QueryLogStoreRole. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

    Important
    • When creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.

    • Check the trust policy of the RAM role. Make sure that the Service element contains at least "log.aliyuncs.com".

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "log.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
  3. Create a custom policy, such as QueryLogStorePolicy, to grant permissions for analyzing logs in the source logstore. For more information, see Create a custom policy in the JSON editor.

    On the JSON editor tab, replace the content in the policy editor with a policy for either exact match or fuzzy match authorization.

    Exact match authorization

    Replace {project-name} and {logstore-name} with your actual project and logstore names.

    Important

    In a custom policy, the logstore resource type covers both logstores and metricstores, so this policy also applies if the source is a metricstore.

    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "log:PostProjectQuery"
                ],
                "Resource":[
                    "acs:log:*:*:project/{project-name}/logstore/{logstore-name}"
                ],
                "Effect":"Allow"
            },
            {
                "Action":[
                    "log:GetProjectQuery",
                    "log:PutProjectQuery",
                    "log:DeleteProjectQuery"
                ],
                "Resource":[
                    "acs:log:*:*:project/{project-name}"
                ],
                "Effect":"Allow"
            }
        ]
    }

    Fuzzy match authorization

    For example, if your source projects are named log-project-dev-a, log-project-dev-b, and log-project-dev-c, and your source logstores are named website_a_log, website_b_log, and website_c_log, you can use fuzzy match authorization. Replace the project and logstore names in the policy based on your actual scenario.

    {
        "Version":"1",
        "Statement":[
            {
                "Action":[
                    "log:PostProjectQuery"
                ],
                "Resource":[
                    "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log"
                ],
                "Effect":"Allow"
            },
            {
                "Action":[
                    "log:GetProjectQuery",
                    "log:PutProjectQuery",
                    "log:DeleteProjectQuery"
                ],
                "Resource":[
                    "acs:log:*:*:project/log-project-dev-*"
                ],
                "Effect":"Allow"
            }
        ]
    }
  4. Grant the custom policy QueryLogStorePolicy to the RAM role QueryLogStoreRole. For more information, see Manage permissions for a RAM role.

Next steps

  1. Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View a RAM role.

  2. When creating a scheduled SQL job, under SQL Execution Authorization, select Custom Role and enter the ARN of the QueryLogStoreRole RAM role. For more information, see Create a scheduled SQL job.

Grant write permissions for the destination logstore

  1. Log on to the RAM console using the Alibaba Cloud account that contains the destination logstore, or as a RAM administrator for that account.

  2. Create a RAM role. For example, name the role WriteLogStoreRole. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

    Important
    • When creating a RAM role, set Principal Type to Cloud Service, and Principal Name to Simple Log Service.

    • Check the trust policy of the RAM role. Make sure that the Service element contains at least "log.aliyuncs.com".

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "log.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
  3. Create a custom policy, such as WriteLogStorePolicy, to grant permissions for writing data to the destination logstore. For more information, see Create a custom policy in the JSON editor.

    On the JSON editor tab, replace the content in the policy editor with a policy for either exact match or fuzzy match authorization.

    Exact match authorization

    Replace {project-name} and {logstore-name} with your actual project and logstore names.

    Important

    In a custom policy, the logstore resource type covers both logstores and metricstores, so this policy also applies if the source is a metricstore.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:PostLogStoreLogs",
            "log:PostProjectQuery"
          ],
           "Resource": "acs:log:*:*:project/{project-name}/logstore/{logstore-name}",
          "Effect": "Allow"
        }
      ]
    }

    Fuzzy match authorization

    For example, to match destination projects like log-project-dev-a, log-project-dev-b, and log-project-dev-c, and logstores like website_a_log_output, website_b_log_output, and website_c_log_output, you can use fuzzy match authorization. Modify the project and logstore names in the policy to fit your scenario.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:Post*",
            "log:BatchPost*"
          ],
           "Resource": "acs:log:*:*:project/log-project-dev-*/logstore/website_*_log_output",
          "Effect": "Allow"
        }
      ]
    }
  4. Attach the custom policy WriteLogStorePolicy to the RAM role WriteLogStoreRole. For more information, see Manage permissions for a RAM role.

  5. (Optional) If the source logstore and destination logstore belong to different Alibaba Cloud accounts, you must also modify the trust policy for the WriteLogStoreRole RAM role.

    1. In the RAM role list, click the RAM role WriteLogStoreRole.

    2. On the Trust Policy tab, click Edit Trust Policy and replace the content in the editor with the following policy.

      Important

      Replace {source-account-id} with the ID of the Alibaba Cloud account where the source logstore resides. You can find the account ID in the Account Center.

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "log.aliyuncs.com",
                "{source-account-id}@log.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }

Next steps

  1. Obtain the Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see View a RAM role.

  2. When creating a scheduled SQL job, under Write Authorization, select Custom Role and enter the ARN of the WriteLogStoreRole RAM role. For more information, see Create a scheduled SQL job.