Before a Scheduled SQL task can run, three permission layers must be in place: management permissions to control the task lifecycle, SQL analysis permissions to query the source Logstore or Metricstore, and data write permissions to save results to the destination.
Management permissions on a Scheduled SQL task
Management permissions control who can create, modify, delete, and view a Scheduled SQL task.
Use a RAM user rather than an Alibaba Cloud account to manage Scheduled SQL tasks. Limiting access through RAM reduces the blast radius if credentials are compromised.
Alibaba Cloud account: An Alibaba Cloud account has full management permissions on Simple Log Service through the AliyunLogFullAccess policy. No additional grants are needed.
RAM user: A Resource Access Management (RAM) user requires an explicit grant before it can manage Scheduled SQL tasks. See Grant a RAM user permissions to manage Scheduled SQL tasks.
SQL analysis permissions required by a Scheduled SQL task
To run SQL analysis against a source Logstore or Metricstore, a Scheduled SQL task assumes a RAM role. The AliyunLogETLRole built-in role already carries the required permissions. For tighter access control, create a custom role and grant only the permissions needed.
Default role: The AliyunLogETLRole default role includes SQL analysis permissions for source Logstores and Metricstores. Authorize the task to assume this role. See Configure a default role.
Custom role: Create a RAM role, grant it SQL analysis permissions for the source Logstore, and then authorize the task to assume it. See Step 1: Grant the RAM role the permissions to analyze log data in a source Logstore.
Data write permissions required by a Scheduled SQL task
To save SQL analysis results to a destination Logstore or Metricstore, a Scheduled SQL task assumes a RAM role with write permissions. The AliyunLogETLRole default role covers this requirement. For finer-grained control, use a custom role.
Default role: The AliyunLogETLRole default role includes write permissions for destination Logstores and Metricstores. Authorize the task to assume this role. See Configure a default role.
Custom role: Create a RAM role, grant it write permissions for the destination Logstore or Metricstore, and then authorize the task to assume it. See Step 2: Grant the RAM role the permissions to write data to a destination Logstore.