Ctrlk
Sign up for FreeKnowledge Base
For the complete documentation index, see llms.txt. This page is also available as Markdown.

⬇️Getting Started with Just-in-Time Access

Install P0 Security, configure approval workflows, and make your first just-in-time access request. A step-by-step guide for security and DevOps teams.

Visual overview

The following diagram illustrates an example Just-in-Time Access workflow at a high level.

JIT access workflow diagram showing P0 CLI and P0 Service connecting to Okta AWS Account Federation App and AWS IAM to grant access to resources like S3, EKS, RDS, EC2, and KMS

Steps to get started

This guide provides the following sections to help you get up and running with P0's Just-in-time access:

  1. Set up an account and a security reviewer

  2. Install P0 on an IAM resource

  3. Make your first access request

This process takes about 15 minutes.

This document uses the following terms:

  • Requestor: Person who requests access to a resource via P0's Slack bot.

  • Approver: Person who approves these access requests via P0's Slack bot.

Set up an account and a security reviewer

To create your P0 account and set up an approver to approve access requests:

  1. Create a free P0 account at https://p0.app/create-account. All you need is an email address.

  2. Set up a cloud integration through the guided onboarding flow (select Access Orchestration). You may skip this step and instead follow the instructions to install a resource in the next step.

  3. Once you complete the onboarding, under P0 Management, add one or more "Security Reviewers". Security Reviewers can approve access requests.

P0 Management Access control panel with Security Reviewers section highlighted, showing fields for adding reviewer email addresses

To further configure access request requesters, approvers, or change settings such as the ability to approve your own access requests, navigate to Policy Studio (or go to https://p0.app/o/<your organization>/policies). You can edit the existing default rule or create new rules.

Install P0 on an IAM resource

If you already configured a resource as part of the guided onboarding, you may skip this step. Otherwise, you will need to install an IAM resource to which users can request Just-in-time access.

To do this, navigate to Integrations and select the integration you wish to install from the list of "Resource" integrations.

P0 Integrations page with the Resources section highlighted, listing AWS, Azure, Google Cloud, GitHub, Custom, Kubernetes, Snowflake, PostgreSQL, and SSH

Once you have selected a resource, follow the instructions in the app to provide P0 with permissions to grant and revoke access on that resource via the IAM Management installation. For more information, follow one of the resource-specific installation guides below.

☁️Google CloudπŸ“¦AWS❄️Snowflake☸️Kubernetes

Make your first access request

Once you've set up P0, you can make your first access request. You can try this out entirely on your own, if you enabled one-party approvals in Set up an account and a security reviewer. Otherwise, grab a colleague to help you, and designate one person as the requestor and the other as the approver:

  • You can use the P0 Security Command-line Interface (CLI) as an alternate method to request permissions, and then approve using the P0 website app.

  • P0 is in the process of adding additional IAM request methods, including a Microsoft Teams bot.

  1. Navigate to any page under Access Management https://p0.app/o/<your organization>/access-management/activity and click the Request Access button in the top right.

Access Management Activity page showing Active and Pending sections with the Request Access button in the top right

  1. Populate the request details. For example:

Request Access dialog with fields for Resource, Access Type, Account, Resource ARN, Policies, Reason, and duration filled in for an AWS S3 request

  1. The approver can see the request on the Access Management Activity page in the Pending section.

    Access Management Activity page showing a pending request for AmazonS3ReadOnlyAccess with Approve and Deny buttons

    After a few moments, the access requestor receives a notification in the p0-requests channel that access was granted.

Most IAM systems have a delay of around 10 to 30 seconds after access is configured before access propagates to the resource and usage is enabled.

  1. Once the access propagates to the resource, the request progresses to the Active section.

Access Management Activity page showing an active granted request for AmazonS3ReadOnlyAccess with expiration time and Revoke button

Access automatically ends after the expiration period is over, or when the requestor clicks the Relinquish button in their P0 DM.

What's next

If you run into any issues, reach out to support@p0.dev for assistance.

Now that you can make access requests, you can:

PreviousRequest Access QuickstartNextConfigure Your First Access Policy

Last updated