External ID explained

What the External ID is, why it prevents confused deputy attacks, and where to find yours in Parsivex.

Last updated July 5, 2026

When you connect Parsivex to AWS, you configure a cross-account IAM role with an External ID — a secret value that only you and Parsivex know. This article explains what it is, why it matters, and where to find yours.

What is an External ID?

An External ID is a unique string (yours looks like parsivex-xxxxxxxxxxxx) that you add to your IAM role's trust policy. When Parsivex calls AWS to assume your role, it must include this exact value.

Think of it as a shared secret, like a password for cross-account access. Without it, even someone who knows Parsivex's AWS account ID cannot assume your role.

Why does Parsivex require one?

AWS cross-account role assumption works like this: you create a role in your account and say "the Parsivex AWS account may assume this role." That is necessary for Parsivex to read your billing and inventory data.

The problem is the confused deputy attack. Here is a simplified version:

  1. You set up a role trusting Parsivex's AWS account so Parsivex can scan your account.
  2. A malicious third party also uses Parsivex (or tricks Parsivex into acting on their behalf).
  3. Without an External ID, that attacker could ask Parsivex to assume your role ARN — because your role trusts Parsivex's account, not a specific Parsivex customer.

The External ID breaks this attack. Your trust policy says: "Parsivex may assume this role only when it presents my External ID." Parsivex sends your unique ID on every AssumeRole call. An attacker cannot guess it, and Parsivex will not use your ID when working on someone else's account.

AWS recommends External IDs for all third-party cross-account access. Parsivex generates a different External ID for each AWS connection.

Where to find your External ID in Parsivex

Your External ID is created when you register an AWS account with Parsivex:

LocationWhen you see it
Onboarding wizardAfter you enter your AWS account ID on the "Create IAM role" step — the trust step shows a copyable External ID
Integrations → AWS connectionsAny time you manage an existing connection

Copy the value exactly. External IDs are case-sensitive and must match character-for-character in your IAM trust policy.

If you deploy via CloudFormation from the onboarding wizard, the External ID is passed into the template automatically — you do not need to paste it manually.

How it fits in your trust policy

Your IAM role trust policy must allow Parsivex's AWS account to call sts:AssumeRole, with a condition requiring your External ID. A complete example — including the correct Principal ARN and condition block — is on our security page.

When setting up manually in the IAM console:

  1. Select Another AWS account as the trusted entity
  2. Enter the Parsivex AWS account ID from your dashboard
  3. Check Require external ID
  4. Paste the External ID from Parsivex

For the full console walkthrough, see Set up a read-only IAM role.

What Parsivex stores

Parsivex stores your Role ARN and External ID so it can assume your role on each scan. We do not store long-term AWS access keys for your account. Temporary credentials from AssumeRole expire after about one hour.

Related articles