AWS Single Sign-On
User Guide

Service-Linked Roles

Service-linked roles are predefined IAM permissions that allow AWS SSO to delegate and enforce which users have SSO access to specific AWS accounts in your AWS organization. The service enables this functionality by provisioning a service-linked role in every AWS account within its organization. The service then allows other AWS services like AWS SSO to leverage those roles to perform service-related tasks. For more information, see AWS Organizations and Service-Linked Roles.

During the process to Enable AWS SSO for the first time, the AWS Organizations service grants AWS SSO the necessary permissions to create IAM roles in any of its AWS accounts. AWS SSO doesn't create roles in any of the AWS accounts at this point. It only creates a service-linked role in an AWS account after you have used the AWS SSO console to specify which account you want to assign SSO access to. For more information, see Manage SSO to Your AWS Accounts.

Service-linked roles that are created in each AWS account are named AWSServiceRoleForSSO. For more information, see Using Service-Linked Roles for AWS SSO.