Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Service-linked roles
Service-linked roles are predefined IAM permissions that allow IAM Identity Center to
delegate and enforce which users have single sign-on access to specific Amazon Web Services accounts
in your organization in Amazon Organizations. The service enables this functionality by provisioning
a service-linked role in every Amazon Web Services account within its organization. The service then
allows other Amazon services like IAM Identity Center to leverage those roles to perform
service-related tasks. For more information, see Amazon Organizations and service-linked roles.
When you enable IAM Identity Center, IAM Identity Center creates a service-linked role in all accounts within the
organization in Amazon Organizations. IAM Identity Center also creates the same service-linked role in every
account that is subsequently added to your organization. This role allows IAM Identity Center to
access each account's resources on your behalf. For more information, see Manage access to Amazon Web Services accounts.
Service-linked roles that are created in each Amazon Web Services account are named
AWSServiceRoleForSSO. For more information, see Using service-linked roles for
IAM Identity Center.