When you connect Parsivex to AWS, you configure a cross-account IAM role with an External ID — a secret value that only you and Parsivex know. This article explains what it is, why it matters, and where to find yours.
What is an External ID?
An External ID is a unique string (yours looks like parsivex-xxxxxxxxxxxx) that you add to your IAM role's trust policy. When Parsivex calls AWS to assume your role, it must include this exact value.
Think of it as a shared secret, like a password for cross-account access. Without it, even someone who knows Parsivex's AWS account ID cannot assume your role.
Why does Parsivex require one?
AWS cross-account role assumption works like this: you create a role in your account and say "the Parsivex AWS account may assume this role." That is necessary for Parsivex to read your billing and inventory data.
The problem is the confused deputy attack. Here is a simplified version:
- You set up a role trusting Parsivex's AWS account so Parsivex can scan your account.
- A malicious third party also uses Parsivex (or tricks Parsivex into acting on their behalf).
- Without an External ID, that attacker could ask Parsivex to assume your role ARN — because your role trusts Parsivex's account, not a specific Parsivex customer.
The External ID breaks this attack. Your trust policy says: "Parsivex may assume this role only when it presents my External ID." Parsivex sends your unique ID on every AssumeRole call. An attacker cannot guess it, and Parsivex will not use your ID when working on someone else's account.
AWS recommends External IDs for all third-party cross-account access. Parsivex generates a different External ID for each AWS connection.
The External ID ensures Parsivex can only access your account when you intended — not because another customer or attacker pointed Parsivex at your role ARN.
Where to find your External ID in Parsivex
Your External ID is created when you register an AWS account with Parsivex:
| Location | When you see it |
|---|---|
| Onboarding wizard | After you enter your AWS account ID on the "Create IAM role" step — the trust step shows a copyable External ID |
| Integrations → AWS connections | Any time you manage an existing connection |
Copy the value exactly. External IDs are case-sensitive and must match character-for-character in your IAM trust policy.
If you deploy via CloudFormation from the onboarding wizard, the External ID is passed into the template automatically — you do not need to paste it manually.
How it fits in your trust policy
Your IAM role trust policy must allow Parsivex's AWS account to call sts:AssumeRole, with a condition requiring your External ID. A complete example — including the correct Principal ARN and condition block — is on our security page.
When setting up manually in the IAM console:
- Select Another AWS account as the trusted entity
- Enter the Parsivex AWS account ID from your dashboard
- Check Require external ID
- Paste the External ID from Parsivex
For the full console walkthrough, see Set up a read-only IAM role.
What Parsivex stores
Parsivex stores your Role ARN and External ID so it can assume your role on each scan. We do not store long-term AWS access keys for your account. Temporary credentials from AssumeRole expire after about one hour.
Related articles
- Set up a read-only IAM role — Full IAM console walkthrough
- Verify your AWS connection — Test that trust policy and External ID are correct (coming soon)
- Security page — Live IAM policy JSON and trust policy reference