SSH

How to request SSH permissions for AWS and GCP instances.

Last updated 2 months ago

SSH

How to request SSH permissions for AWS and GCP instances.

This topic describes how to request SSH permissions for Amazon Web Services (AWS) and Google Cloud Platform (GCP) instances. P0 SSH provides full SSH functionality, enabling you to securely manage and configure remote servers.

This guide contains the following sections:

Prerequisites

Existing P0 account at
Standard terminal application that supports SSH (e.g., Terminal, Command Prompt, PowerShell, or Bash)
version 20 or later

Installing Node.js automatically installs and on your computer.

and/or account with admin access, where your target instances are hosted
P0 IAM integrations installed for and/or (depending on where you want to set up SSH)
(For AWS) Existing and/or account and an

These instructions use to manage user access and permissions.

Install the P0 CLI Package

Open your computer’s terminal.
Navigate to the directory where you'll install the P0 CLI using the following command:

cd <path/to/my/directory>

Ensure you replace <path/to/my/directory> with your specific directory path.

Install the P0 CLI package:

(Recommended) Run the following command to globally install the P0 CLI package:

npm i -g @p0security/cli

npx p0 ssh private-node --provider gcloud

Request AWS or GCP SSH Permissions

To request AWS or GCP SSH permissions:

From the list of Available components, click SSH Management.
Click + Add account.
From the Account identifier dropdown, select your AWS account or GCP project, then click Next.

Ensure your AWS or GCP account is connected to P0 and the required integrations are installed. Without this setup no accounts will appear in the Account identifier dropdown.

Review the configuration and click Next.

(Optional) For AWS, enter a Grouping tag to group similar instances.

Once the P0 CLI is installed, you can use the command p0 request ssh group --name <value> to combine AWS instances that share the same tag value.

Click Finish to complete the SSH permissions request.

Configure Accounts

AWS and GCP accounts require different configuration processes. Choose the configuration instructions you need:

Configure an AWS Account

Keep this browser tab open. You will come back to this page in later steps.

Once logged in, on the navigation bar, click CloudShell.

Alternatively, you can use the search bar to type CloudShell and select it from the results.

AWS CloudShell will open in the console’s bottom panel.

Click Finish to complete the configuration.

The account now appears on the SSH Management page.

In your terminal, run the following command to log into your P0 organization using Okta:

p0 login <your-p0-organization-name>

Replace <your-p0-organization-name> with your P0 organization name. You can find your organization name in the p0.app URL (e.g. https://p0.app/o/your-p0-organization-name).

In the Okta window that displays, enter your activation code and click Next.

Return to your terminal and use the following command to request SSH access to your AWS instance or P0 grouping tag:

p0 ssh <instance-name>

Direct ssh access is not supported. While direct ssh may work, use p0 ssh to ensure security controls and compliance.

Wait for P0 to complete access provisioning. Your terminal displays the status of your request, and indicates whether it was approved or denied.

After SSH access is approved, you can run P0 AWS commands. For example, you can make an access request, or use the following command to list available SSH session destinations:

p0 ls ssh session destination

Congratulations! You're now set up with SSH for P0 on AWS.

Configure a GCP Project

p0 ls ssh session destination --provider gcloud

Copy the name of the GCP instance you want to access from the resulting list. In the following example, private-node is the GCP instance name.

In your terminal, run the following command to request SSH access to your GCP instance:

p0 ssh <instance-name> --provider gcloud

Replace <instance-name> with the name of the GCP instance, identified in the previous step. If you have multiple GCP instances with the same name, you may need to use the --parent <account_id> flag within the command.

Your terminal displays a message with the wait time for access approval. A subsequent message confirms whether the access request is approved or denied.

After SSH access is approved, you can run P0 GCP commands. For example, you can make an access request or use the following command to list available SSH session destinations:

p0 ls ssh session destination

Congratulations! You're now set up with SSH for P0 on Google Cloud.

(Optional) Update Your SSH Configuration for `p0 ssh`

To integrate p0 ssh with your native SSH setup, you must update your SSH configuration file. Follow these steps:

Open your SSH configuration file using a text editor of your choice. The SSH Configuration file is typically located at ~/.ssh/config.
Append the following lines to your SSH configuration file

Match exec "p0 ssh-resolve %h -q"
 Include ~/.p0/ssh/configs/*.config

The line Match exec "p0 ssh-resolve %h -q" ensures that p0 ssh resolves the hostname dynamically, before making a connection. A hostname will resolve if the following conditions are met:

The user is logged into the P0 CLI tool using p0 login your-org-id.
The user has been granted access to the host or the user is eligible for access.
Note: Eligibility is defined as having a workflow that grants always allowed access to a node or pre-approved access through a group request.

The line Include ~/.p0/ssh/configs/*.config loads additional configuration files from ~/.p0/ssh/configs/, which enables p0 ssh to manage custom settings.

To verify that p0 ssh is working correctly with your new set up, run ssh your-hostname. If everything is configured properly, ssh will connect to the host machine.