ποΈRequesting Access
This page describes how to make a just-in-time access request using P0
Last updated
This page describes how to make a just-in-time access request using P0
Last updated
Here we'll walk you through the life-cycle of an access request:
To begin, you'll use Slack to create an access request. You can either:
You can make requests using an interactive modal. This will help you discover what resources and possible access modes you can request.
To open the modal, you can either:
Type /p0 request
in any Slack channel
Click the "Run Shortcut" icon in the message draft bar, then search for and select "Request access"
Choose a resource and access type, then fill out the remaining fields. You may skip optional fields.
The "reason" field is optional, but highly recommended. Filling this out will help your request be approved more easily.
Once you've filled out all required fields, click "Done". P0 will then send you a DM with details of your request.
If you already know exactly what you need access to, you can use slash commands to make requests more quickly.
All slash commands start with /p0
. You can always use --help
to get help for your current command.
You can open the interactive modal by typing an incomplete slash command. For example, /p0 request aws policy
will open a partially filled AWS user-policy request. Add --help
to force P0 to show you how to complete the slash command.
Using a complete slash command will generate an access request. For instance: /p0 request gcloud role p0-demo viewer --reason 'showing off P0'
will create a new access request to gain the "Viewer" role on a p0-demo
Google Cloud project.
After a successful request command, P0 will send you a DM with details of your request.
After your request is made, a message will be sent in your public P0 approval channel, asking for approval.
Your approver may immediately grant or deny your request, or respond in a thread to your request, asking for more information about why you're requesting access.
You cannot approve nor deny your own requests, unless you are a configured approver and your organization allows one-party approvals.
If your organization has configured automatic approvals and you meet the approval conditions (for example, you are on-call on a specified PagerDuty escalation policy), you will automatically be granted access for one hour.
After your request is approved, P0 will provision access for you, then notify you after provisioning is complete.
Note that you may have to wait an additional amount of time before your access is ready to use. This is because IAM resources have a propagation time in-between when access is configured and when access is usable. Observed propagation times are approximately:
AWS
10 seconds - 15 seconds
Directories (Okta, Entra ID, Workspace)
Depends on SCIM propagation time
Google Cloud
30 seconds - one minute
PostgreSQL
Immediate
Snowflake
Immediate
When your access was approved, your approver defined how long your access would last. Once your access expires, P0 will automatically remove it. If you still need this access, you can re-request it.
If you finish using your access before your access expires, you can also choose to relinquish your access. Click the "Relinquish" button to give up access early. This can help you avoid using your access unintentionally.