P0 App Documentation
Sign up for FreeKnowledge Base
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
      • πŸ—’οΈSession Recording
        • πŸ“¦AWS
      • πŸ”ŒJust-in-time API
        • Command API
        • Access Requests API
        • Routing Rules API
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifiers
        • AWS Lambda Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Security Perimeter
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
        • Function Caller
      • πŸ“¦AWS
        • Requesting Access
        • AWS Integration API
        • Function Caller
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
        • Installing a Custom Resource Integration
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • ⚑SIEM Integrations
      • Splunk HEC Setup
  • πŸ“Tracker integrations
    • 🎟️Jira
  • P0 Management
    • 🎩Role-Based Access Control
    • πŸ”ŒManagement API
      • Role Management API
      • Just-in-time settings API
Powered by GitBook
On this page
  • Prerequisites
  • Install the P0 CLI Package
  • Request AWS or GCP SSH Permissions
  • Configure Accounts
  • Configure an AWS Account
  • Configure a GCP Project
  • (Optional) Update Your SSH Configuration for p0 ssh
  1. Integrations
  2. Resource integrations

SSH

How to request SSH permissions for AWS and GCP instances.

PreviousSnowflakeNextGitHub

Last updated 3 months ago

This topic describes how to request SSH permissions for Amazon Web Services (AWS) and Google Cloud Platform (GCP) instances. P0 SSH provides full SSH functionality, enabling you to securely manage and configure remote servers.

This guide contains the following sections:

Prerequisites

  • Existing P0 account at

  • Standard terminal application that supports SSH (e.g., Terminal, Command Prompt, PowerShell, or Bash)

  • version 20 or later

Installing Node.js automatically installs and on your computer.

  • and/or account with admin access, where your target instances are hosted

  • P0 IAM integrations installed for and/or (depending on where you want to set up SSH)

  • (For AWS) Existing and/or account and an

These instructions use to manage user access and permissions.

Install the P0 CLI Package

  1. Open your computer’s terminal.

  2. Navigate to the directory where you'll install the P0 CLI using the following command:

cd <path/to/my/directory>

Ensure you replace <path/to/my/directory> with your specific directory path.

  1. Install the P0 CLI package:

  • (Recommended) Run the following command to globally install the P0 CLI package:

npm i -g @p0security/cli
npx p0 ssh private-node --provider gcloud

Request AWS or GCP SSH Permissions

To request AWS or GCP SSH permissions:

  1. From the list of Available components, click SSH Management.

  2. Click + Add account.

  3. From the Account identifier dropdown, select your AWS account or GCP project, then click Next.

Ensure your AWS or GCP account is connected to P0 and the required integrations are installed. Without this setup no accounts will appear in the Account identifier dropdown.

  1. Review the configuration and click Next.

  1. (Optional) For AWS, enter a Grouping tag to group similar instances.

  • Once the P0 CLI is installed, you can use the command p0 request ssh group --name <value> to combine AWS instances that share the same tag value.

  1. Click Finish to complete the SSH permissions request.

Configure Accounts

AWS and GCP accounts require different configuration processes. Choose the configuration instructions you need:

Configure an AWS Account

Keep this browser tab open. You will come back to this page in later steps.

  1. Once logged in, on the navigation bar, click CloudShell.

Alternatively, you can use the search bar to type CloudShell and select it from the results.

  1. AWS CloudShell will open in the console’s bottom panel.

  1. Click Finish to complete the configuration.

  1. The account now appears on the SSH Management page.

  1. In your terminal, run the following command to log into your P0 organization using Okta:

p0 login <your-p0-organization-name> 

Replace <your-p0-organization-name> with your P0 organization name. You can find your organization name in the p0.app URL (e.g. https://p0.app/o/your-p0-organization-name).

  1. In the Okta window that displays, enter your activation code and click Next.

  1. Return to your terminal and use the following command to request SSH access to your AWS instance or P0 grouping tag:

p0 ssh <instance-name>
  • Direct ssh access is not supported. While direct ssh may work, use p0 ssh to ensure security controls and compliance.

  1. Wait for P0 to complete access provisioning. Your terminal displays the status of your request, and indicates whether it was approved or denied.

  1. After SSH access is approved, you can run P0 AWS commands. For example, you can make an access request, or use the following command to list available SSH session destinations:

p0 ls ssh session destination

Congratulations! You're now set up with SSH for P0 on AWS.

Configure a GCP Project

p0 ls ssh session destination --provider gcloud 
  1. Copy the name of the GCP instance you want to access from the resulting list. In the following example, private-node is the GCP instance name.

  1. In your terminal, run the following command to request SSH access to your GCP instance:

p0 ssh <instance-name> --provider gcloud 

Replace <instance-name> with the name of the GCP instance, identified in the previous step. If you have multiple GCP instances with the same name, you may need to use the --parent <account_id> flag within the command.

  1. Your terminal displays a message with the wait time for access approval. A subsequent message confirms whether the access request is approved or denied.

  1. After SSH access is approved, you can run P0 GCP commands. For example, you can make an access request or use the following command to list available SSH session destinations:

p0 ls ssh session destination

Congratulations! You're now set up with SSH for P0 on Google Cloud.

(Optional) Update Your SSH Configuration for p0 ssh

To integrate p0 ssh with your native SSH setup, you must update your SSH configuration file. Follow these steps:

  1. Open your SSH configuration file using a text editor of your choice. The SSH Configuration file is typically located at ~/.ssh/config.

  2. Append the following lines to your SSH configuration file

Match exec "p0 ssh-resolve %h -q"
 Include ~/.p0/ssh/configs/*.config

The line Match exec "p0 ssh-resolve %h -q" ensures that p0 ssh resolves the hostname dynamically, before making a connection. A hostname will resolve if the following conditions are met:

  1. The user is logged into the P0 CLI tool using p0 login your-org-id.

  2. The user has been granted access to the host or the user is eligible for access.

    Note: Eligibility is defined as having a workflow that grants always allowed access to a node or pre-approved access through a group request.

The line Include ~/.p0/ssh/configs/*.config loads additional configuration files from ~/.p0/ssh/configs/, which enables p0 ssh to manage custom settings.

  1. To verify that p0 ssh is working correctly with your new set up, run ssh your-hostname. If everything is configured properly, ssh will connect to the host machine.

You must install the on your computer before you request permissions using SSH:

Alternatively, use to run the P0 CLI without installing it:

Go to in your browser. Select Integrations, then under the Resources section, click SSH.

You can use the Grouping tag as the <instance-name> when you .

From the site, navigate to the SSH Management page, and copy the shell commands displayed.

Open a new browser tab and log into your .

Paste the commands from the SSH Management page into AWS CloudShell, and run them. This creates an , which enables P0 to provision sudo access, create a user directory, and configure authorized keys for user authentication.

Return to the browser tab for the SSH Management page, click Next, and wait for P0 to configure the account.

Replace <instance-name> with the name of the AWS instance or a P0 grouping tag from . If you have multiple AWS instances with the same name, you may need to use the --parent <account_id> flag within the command.

To display the GCP instances (previously set up for SSH access in ), run the following command in your terminal:

πŸ”‘
πŸ–₯️
P0 CLI package
npx
p0.app
p0.app
AWS Management Console
AWS Systems Manager (SSM) document
p0.app
p0.app
Node.js
npm
npx
AWS
GCP
AWS
GCP
Okta
AWS Identity Center
associated P0 directory integration
Okta
Prerequisites
Install the P0 CLI Package
Request AWS or GCP SSH Permissions
Configure Accounts
Configure an AWS Account
Configure an AWS Account
Configure a GCP Project
Request AWS or GCP SSH Permissions
Request AWS or GCP SSH Permissions
Text field for Group tag
AWS login and console
Terminal command for login
Terminal command for requesting access
Terminal command for private node
Terminal command GCP private node
Terminal command GCP approval