After you create the read-only IAM role, Parsivex needs to confirm it can assume that role using your External ID. Verification takes about 10–15 seconds and checks the trust policy and role ARN — it does not run a full cost scan.
When to verify
| Location | When |
|---|---|
| Onboarding wizard | The Verify connection step after you deploy CloudFormation or finish manual IAM setup |
| Integrations → AWS connections | After you add a connection, change the Role ARN, or fix IAM after a failed scan |
On the free tier, a successful verification on the onboarding verify step starts your first scan automatically.
What you need
Before clicking Test connection, have these ready:
- Role ARN — The full ARN from IAM or your CloudFormation/Terraform outputs (for example
arn:aws:iam::123456789012:role/ParsivexReadOnly) - Primary AWS region — The region where most of your billable resources run; Parsivex uses it for regional API calls during scans
- External ID — Already stored on your Parsivex connection when you registered the account; Parsivex sends it on every
AssumeRolecall. You do not paste it again on the verify step, but the value in your IAM trust policy must match. See External ID explained.
Copy the RoleArn output from your CloudFormation stack's Outputs tab — do not guess the ARN from the role name alone.
Verify in the onboarding wizard
- Complete Connect your AWS account — deploy the template or set up the role manually
- On Verify connection, select your primary region
- Paste the Role ARN into the field
- Click Test connection
- Wait for the result:
- Connection successful — Parsivex can assume your IAM role. Continue to start your first scan
- Connection failed — See Connection troubleshooting for trust policy, External ID, and permission fixes
Verify an existing connection
- Open Integrations → AWS connections
- Select the account you want to check
- Confirm the Role ARN is correct (update it if you recreated the role)
- Click Test connection (or Verify)
Use this after IAM changes, account migrations, or when a scan fails with assume-role errors.
What verification checks
Parsivex calls AWS sts:AssumeRole with:
- Your Role ARN
- Your workspace's External ID
If AWS accepts the call, verification succeeds. Parsivex does not read Cost Explorer or inventory during this step — only whether cross-account access works.
Verification does not confirm every read permission needed for a full scan. You can pass verification but still see partial scan warnings if the attached policy is incomplete.
Common outcomes
| Result | What it means | Next step |
|---|---|---|
| Connection successful | Trust policy, External ID, and Role ARN are correct | Continue onboarding or run a scan |
| Access denied / AssumeRole failed | Trust policy missing, wrong Parsivex account ID, or External ID mismatch | Connection troubleshooting → trust policy sections |
| Role does not exist / Invalid ARN | ARN typo, wrong account, or deleted role | Copy the ARN again from IAM or IaC outputs |
| Mock connection (dev) | Internal mock backend — no IAM role required | Select a region and test; used for development demos only |
Related articles
- Set up a read-only IAM role — Create the role before you verify
- External ID explained — Why the trust policy requires your External ID
- Connection troubleshooting — Fix failed verification and permission errors
- Deploy with CloudFormation or Terraform — Get the Role ARN from IaC outputs