Sign up for FreeKnowledge Base

🖥️SSH

How to request SSH permissions for AWS and GCP instances.

This topic describes how to request SSH permissions for Amazon Web Services (AWS) and Google Cloud Platform (GCP) instances. P0 SSH provides full SSH functionality, enabling you to securely manage and configure remote servers.

This guide contains the following sections:

  1. Prerequisites

  2. Install the P0 CLI Package

  3. Request AWS or GCP SSH Permissions

  4. Configure Accounts

Prerequisites

  • Existing P0 account at p0.app

  • Standard terminal application that supports SSH (e.g., Terminal, Command Prompt, PowerShell, or Bash)

  • Node.js version 20 or later

Installing Node.js automatically installs npm and npx on your computer.

These instructions use Okta to manage user access and permissions.

Install the P0 CLI Package

You must install the P0 CLI package on your computer before you request permissions using SSH:

  1. Open your computer’s terminal.

  2. Navigate to the directory where you'll install the P0 CLI using the following command:

cd <path/to/my/directory>

Ensure you replace <path/to/my/directory> with your specific directory path.

  1. Install the P0 CLI package:

  • (Recommended) Run the following command to globally install the P0 CLI package:

npm i -g @p0security/cli

  • Alternatively, use npx to run the P0 CLI without installing it:

npx p0 ssh private-node --provider gcloud

Request AWS or GCP SSH Permissions

To request AWS or GCP SSH permissions:

  1. Go to p0.app in your browser. Select Integrations, then under the Resources section, click SSH.

  2. From the list of Available components, click SSH Management.

  3. Click + Add account.

  4. From the Account identifier dropdown, select your AWS account or GCP project, then click Next.

Ensure your AWS or GCP account is connected to P0 and the required integrations are installed. Without this setup no accounts will appear in the Account identifier dropdown.

  1. Review the configuration and click Next.

  1. (Optional) For AWS, enter a Grouping tag to group similar instances.

  • You can use the Grouping tag as the <instance-name> when you Configure an AWS Account.

  • Once the P0 CLI is installed, you can use the command p0 request ssh group --name <value> to combine AWS instances that share the same tag value.

  1. Click Finish to complete the SSH permissions request.

Configure Accounts

AWS and GCP accounts require different configuration processes. Choose the configuration instructions you need:

Configure an AWS Account

  1. From the p0.app site, navigate to the SSH Management page, and copy the shell commands displayed.

Keep this browser tab open. You will come back to this page in later steps.

  1. Open a new browser tab and log into your AWS Management Console.

  2. Once logged in, on the navigation bar, click CloudShell.

Alternatively, you can use the search bar to type CloudShell and select it from the results.

  1. AWS CloudShell will open in the console’s bottom panel.

  1. Paste the commands from the SSH Management page into AWS CloudShell, and run them. This creates an AWS Systems Manager (SSM) document, which enables P0 to provision sudo access, create a user directory, and configure authorized keys for user authentication.

  1. Return to the browser tab for the p0.app SSH Management page, click Next, and wait for P0 to configure the account.

  1. Click Finish to complete the configuration.

  1. The account now appears on the SSH Management page.

  1. In your terminal, run the following command to log into your P0 organization using Okta:

p0 login <your-p0-organization-name>

Replace <your-p0-organization-name> with your P0 organization name. You can find your organization name in the p0.app URL (e.g. https://p0.app/o/your-p0-organization-name).

  1. In the Okta window that displays, enter your activation code and click Next.

  1. Return to your terminal and use the following command to request SSH access to your AWS instance or P0 grouping tag: 

p0 ssh <instance-name>

  • Replace <instance-name> with the name of the AWS instance or a P0 grouping tag from Request AWS or GCP SSH Permissions. If you have multiple AWS instances with the same name, you may need to use the --parent <account_id> flag within the command.

  • Direct ssh access is not supported. While direct ssh may work, use p0 ssh to ensure security controls and compliance.

  1. Wait for P0 to complete access provisioning. Your terminal displays the status of your request, and indicates whether it was approved or denied.

  1. After SSH access is approved, you can run P0 AWS commands. For example, you can make an access request, or use the following command to list available SSH session destinations:

p0 ls ssh session destination

Congratulations! You're now set up with SSH for P0 on AWS.

Configure a GCP Project

  1. To display the GCP instances (previously set up for SSH access in Request AWS or GCP SSH Permissions), run the following command in your terminal:

p0 ls ssh session destination --provider gcloud

  1. Copy the name of the GCP instance you want to access from the resulting list. In the following example, private-node is the GCP instance name.

  1. In your terminal, run the following command to request SSH access to your GCP instance:

p0 ssh <instance-name> --provider gcloud

Replace <instance-name> with the name of the GCP instance, identified in the previous step. If you have multiple GCP instances with the same name, you may need to use the --parent <account_id> flag within the command.

  1. Your terminal displays a message with the wait time for access approval. A subsequent message confirms whether the access request is approved or denied.

  1. After SSH access is approved, you can run P0 GCP commands. For example, you can make an access request or use the following command to list available SSH session destinations:

p0 ls ssh session destination

Congratulations! You're now set up with SSH for P0 on Google Cloud.

(Optional) Update Your SSH Configuration for p0 ssh

To integrate p0 ssh with your native SSH setup, you must update your SSH configuration file. Follow these steps:

  1. Open your SSH configuration file using a text editor of your choice. The SSH Configuration file is typically located at ~/.ssh/config.

  2. Append the following lines to your SSH configuration file

Match exec "p0 ssh-resolve %h -q"
 Include ~/.p0/ssh/configs/*.config

The line Match exec "p0 ssh-resolve %h -q" ensures that p0 ssh resolves the hostname dynamically, before making a connection. A hostname will resolve if the following conditions are met:

  1. The user is logged into the P0 CLI tool using p0 login your-org-id.

  2. The user has been granted access to the host or the user is eligible for access.

    Note: Eligibility is defined as having a workflow that grants always allowed access to a node or pre-approved access through a group request.

The line Include ~/.p0/ssh/configs/*.config loads additional configuration files from ~/.p0/ssh/configs/, which enables p0 ssh to manage custom settings.

  1. To verify that p0 ssh is working correctly with your new set up, run ssh your-hostname. If everything is configured properly, ssh will connect to the host machine.

PreviousSnowflakeNextGitHub

Last updated