ποΈRequesting Access
This page describes how to make a just-in-time access request using P0
Here we'll walk you through the life-cycle of an access request:
π Creating a request
βΆοΈ Gaining access
π Creating a request
To begin, you'll use Slack to create an access request. You can either:
Using the Slack request modal
You can make requests using an interactive modal. This will help you discover what resources and possible access modes you can request.
Opening the modal
To open the modal, you can either:
Type
/p0 requestin any Slack channelClick the "Run Shortcut" icon in the message draft bar, then search for and select "Request access"
Making your request
Choose a resource and access type, then fill out the remaining fields. You may skip optional fields.
The "reason" field is optional, but highly recommended. Filling this out will help your request be approved more easily.
Once you've filled out all required fields, click "Done". P0 will then send you a DM with details of your request.
Using Slack slash commands
If you already know exactly what you need access to, you can use slash commands to make requests more quickly.
Slash-command format
All slash commands start with /p0. You can always use --help to get help for your current command.
Request modal shortcut
You can open the interactive modal by typing an incomplete slash command. For example, /p0 request aws policy will open a partially filled AWS user-policy request. Add --help to force P0 to show you how to complete the slash command.
Creating requests
Using a complete slash command will generate an access request. For instance: /p0 request gcloud role p0-demo viewer --reason 'showing off P0' will create a new access request to gain the "Viewer" role on a p0-demo Google Cloud project.
After a successful request command, P0 will send you a DM with details of your request.
π£οΈ Discussing your request
After your request is made, a message will be sent in your public P0 approval channel, asking for approval.
Your approver may immediately grant or deny your request, or respond in a thread to your request, asking for more information about why you're requesting access.
You cannot approve nor deny your own requests, unless you are a configured approver and your organization allows one-party approvals.
If your organization has configured automatic approvals and you meet the approval conditions (for example, you are on-call on a specified PagerDuty escalation policy), you will automatically be granted access for one hour.
βΆοΈ Gaining access
After your request is approved, P0 will provision access for you, then notify you after provisioning is complete.
Note that you may have to wait an additional amount of time before your access is ready to use. This is because IAM resources have a propagation time in-between when access is configured and when access is usable. Observed propagation times are approximately:
| System | Time-to-use |
|---|---|
AWS | 10 seconds - 15 seconds |
Directories (Okta, Entra ID, Workspace) | Depends on SCIM propagation time |
Google Cloud | 30 seconds - one minute |
PostgreSQL | Immediate |
Snowflake | Immediate |
βοΈ Access relinquishment and expiration
When your access was approved, your approver defined how long your access would last. Once your access expires, P0 will automatically remove it. If you still need this access, you can re-request it.
If you finish using your access before your access expires, you can also choose to relinquish your access. Click the "Relinquish" button to give up access early. This can help you avoid using your access unintentionally.
Last updated
