Requesting Access

Requesting from Slack

Open up the p0 modal using /p0 request and select "Amazon Web Services" as the resource.

You'll see an "Access type" field with 2 options, "Attach user policy", and "Add user to group".

  • "Attach user policy": request a user policy to be attached to your AWS user. The policy can either be a customer-managed or AWS-managed policy.

  • "Add user to group": request your AWS user to be added to a user group.

P0 will auto-complete as your start typing out the policy or group. Once you select the policy / group you need, you can optionally add a reason to be supplied to the approver(s) within p0, then submit the request. If an existing policy / group is not shown in the auto-complete results, it may be filtered out by routing rules.

Fine-grained resource-level access

If you installed the Resource inventory integration you will be able to choose the "Resource in AWS" access type. You can specify the exact resource and a policy. P0 will generate a new policy that contains the actions from the selected policy filtered to the selected resource.

For example, request access to a specific S3 bucket called p0-sensitive-data:

What happens next

Once you make the request, you should get a Slack message from the p0 bot showing your request. There will also be a message to the approvers in the Slack channel designated by your org admin, requesting access.

  1. If your request is approved, when you get a message that it has been approved, that means you should already have access provisioned, as that happens all at the same time.

  2. If you are on-call (on a PagerDuty schedule), and your org admin has enabled PagerDuty routing, your access may be automatically approved for 1 hour.

  3. After your request is approved, there will be a β€œrelinquish” button for you to let go of your permissions early if you finish what you wanted to do before the expiration date (so you can let go of unneeded permissions).

  4. If you wait for the access to expire, you will get a message that it has expired once it does.

  5. If your request is denied, you'll get a message letting you know.

Last updated