All Products
Search
Document Center

Simple Log Service:Authorization

Last Updated:Jun 08, 2026

Before a Scheduled SQL task can run, three permission layers must be in place: management permissions to control the task lifecycle, SQL analysis permissions to query the source Logstore or Metricstore, and data write permissions to save results to the destination.

Management permissions on a Scheduled SQL task

Management permissions control who can create, modify, delete, and view a Scheduled SQL task.

Important

Use a RAM user rather than an Alibaba Cloud account to manage Scheduled SQL tasks. Limiting access through RAM reduces the blast radius if credentials are compromised.

  • Alibaba Cloud account: An Alibaba Cloud account has full management permissions on Simple Log Service through the AliyunLogFullAccess policy. No additional grants are needed.

  • RAM user: A Resource Access Management (RAM) user requires an explicit grant before it can manage Scheduled SQL tasks. See Grant a RAM user permissions to manage Scheduled SQL tasks.

SQL analysis permissions required by a Scheduled SQL task

To run SQL analysis against a source Logstore or Metricstore, a Scheduled SQL task assumes a RAM role. The AliyunLogETLRole built-in role already carries the required permissions. For tighter access control, create a custom role and grant only the permissions needed.

Data write permissions required by a Scheduled SQL task

To save SQL analysis results to a destination Logstore or Metricstore, a Scheduled SQL task assumes a RAM role with write permissions. The AliyunLogETLRole default role covers this requirement. For finer-grained control, use a custom role.