# p0 Commands and Usage

## p0 CLI Overview

A developer-focused overview of all p0 CLI commands. Use this as your launchpad—each section links to in-depth docs with examples, flags, and troubleshooting.

***

### 📥 [p0 login](/p0-cli/p0-commands-and-usage/p0-login.md)

Bootstrap your local CLI with your organization's credentials and config.

{% hint style="info" %}
If you run any command it will run this command if you are not logged in.
{% endhint %}

* **Purpose:**
  * Launch browser SSO (Google, Okta, Ping, Microsoft, etc.)
  * Persist tokens & config under `~/.p0/` (or `$TMP/p0` if you set the `P0_ORG` environment variable)
* **Outcome:**
  * Validated Org access
  * Ability to run `p0 request`, `p0 ssh`, `p0 aws`, and more without re-authenticating
* **Key Flags:**
  * `p0 login <ORG_ID>`
  * `P0_ORG=<ORG_ID> p0 login` (for [multi-organization access](/integrations/resource-integrations/ssh.md#multi-organization-ssh-access) or env var shortcut)

***

### 🚪 [p0 logout](/p0-cli/p0-commands-and-usage/p0-logout.md)

Remove all P0 CLI credentials, config files, and cached data from your system.

* **Purpose:**
  * Delete saved identity/authentication tokens
  * Remove local configuration files (`~/.p0/config.json`)
  * Clear CLI session caches
* **Syntax:**

  ```bash
  p0 logout
  ```

**Outcome:**

* Ensures no sensitive data persists after use
* Requires a fresh `p0 login` before running other commands

**Notes:**

* Recommended on shared systems, CI environments, or when rotating credentials.
* All privileged CLI commands will prompt re-authentication after logout.

### ☁️ [p0 aws role assume](/p0-cli/p0-commands-and-usage/p0-aws-role-assume.md)

Assume AWS IAM roles through Okta SAML federation.

* **Purpose:**
  * Obtain temporary AWS credentials via just-in-time access
  * Authenticate through Okta SAML to assume IAM roles
  * Output shell export commands for AWS CLI usage
* **Key Flags:**
  * `--account <id>` (AWS account ID or alias)
  * `--reason <text>` (justification for audit)
  * `--no-request` (skip access request if you have existing access)
* **Syntax:**

  ```bash
  $(p0 aws role assume MyRole --account 123456789012)
  ```

***

### ☁️ [p0 aws permission-set assume](/p0-cli/p0-commands-and-usage/p0-aws-permission-set-assume.md)

Assume AWS permission sets through AWS Identity Center (IDC).

* **Purpose:**
  * Obtain temporary AWS credentials via just-in-time access
  * Authenticate through AWS Identity Center to assume permission sets
  * Output shell export commands for AWS CLI usage
* **Key Flags:**
  * `--account <id>` (AWS account ID or alias)
  * `--reason <text>` (justification for audit)
* **Syntax:**

  ```bash
  $(p0 aws permission-set assume AdministratorAccess --account 123456789012)
  ```

{% hint style="info" %}
The CLI shows either `p0 aws role` or `p0 aws permission-set` based on your AWS account configuration. Run `p0 aws --help` to see which is available.
{% endhint %}

***

### ☸️ [p0 kubeconfig](/p0-cli/p0-commands-and-usage/p0-kubeconfig.md)

Just-in-time AWS EKS access and kubeconfig automation.

* **Purpose:**
  * Request AWS EKS cluster access via p0
  * Automatically update your `~/.kube/config` context
* **Key Flags:**
  * `--cluster <CLUSTER_ID>` (registered in p0)
  * `--role <ClusterRole|CuratedRole|Role>`
  * `--resource <Kind> / <Namespace> / <Name>`
  * `--reason "<REASON>"`
  * `--duration "<DURATION>"`

***

### 🔓 [p0 allow](/p0-cli/p0-commands-and-usage/p0-allow.md)

Declare pre-approved access grants for `p0 Request` across multiple platforms.

* **Purpose:**
  * Provision any access that you can request. This is for creating pre-approved access for another user for a period of time. You must be a valid approver for that person.
  * Apply policy guardrails and auto-revoke at expiry
* **Key Flags:**
  * `--to <principal>` (user, service account, or group)
  * `--length <total duration>`
  * `--duration <session TTL>`
  * Optional: `--start <timestamp>`, `--reason <text>`

***

### 🎫 [p0 grant](/p0-cli/p0-commands-and-usage/p0-grant.md)

Issue ephemeral, just-in-time access requests for short-lived tasks.

* **Purpose:**
  * Trigger provisioning workflows on demand
  * Optionally block (`--wait`) until approval or denial
* **Key Flags:**
  * `--to <principal>`
  * `--duration <duration>`
  * Optional: `--reason <text>`, `-w/--wait`

***

### 🔍 [p0 ls](/p0-cli/p0-commands-and-usage/p0-ls.md)

Discover valid resource identifiers for `grant`, `allow`, `ssh`, and more.

* **Purpose:**
  * List ARNs, roles, permission-sets, groups, SSH sessions, etc.
  * Mark items you already have (`*`)
* **Key Flags:**
  * `p0 ls <integration> <subcommand> [filters]`
  * `--size <N>` (pagination)
  * `--json` (raw output)

***

### 📂 [p0 scp](/p0-cli/p0-commands-and-usage/p0-scp.md)

Securely copy files using P0-provisioned SSH under the hood.

* **Purpose:**
  * Drop-in replacement for `scp` with automatic access requests
* **Syntax:**

  ```bash
  p0 scp <src> <dest> [P0-options] -- [scp flags]
  ```
* **Key Flags:**
  * `--provider <aws|gcloud|azure>`
  * `--reason <text>`
  * `--sudo`
  * `--debug`

***

### 🔑 p0 ssh-keygen

Generate (or reuse) a P0-specific SSH key pair.

* **Purpose:**
  * Create a 2048-bit RSA key under `~/.p0/ssh/` with mode `600`
  * Auto-invoked by `p0 ssh`/`scp`, or run manually to pre-generate or rotate keys
* **Syntax:**

  ```bash
  p0 ssh-keygen
  ```

***

### 🔌 p0 ssh-proxy

Expose P0's SSH tunnel as a ProxyCommand for custom SSH configs.

{% hint style="info" %}
This is not for direct usage via CLI but through other CLI commands.
{% endhint %}

* **Purpose:**
  * Integrate P0's managed tunnel (`aws ssm start-session`, `gcloud iap-tunnel`, Azure) into `~/.ssh/config`
  * Reuse approved sessions across multiple SSH calls
* **Syntax:**

  ```bash
  p0 ssh-proxy <destination> \
    --provider <aws|gcloud|azure> \
    --port <22> \
    -i <identityFile> \
    --request-json <path/to/request.json> \
    [--org <org-id>]
  ```

***

### 📑 [p0 ssh-resolve](/p0-cli/p0-commands-and-usage/p0-ssh-resolve.md)

Resolves host names in the SSH command if they are accessible to you without manual approval.

{% hint style="info" %}
This is not for direct execution, and is used by ssh config file!
{% endhint %}

* **Purpose:**
  * Generate approved requests and credentials.
  * Perfect for automation, editor plugins, or CI pipelines
* **Syntax:**

  ```bash
  p0 ssh-resolve <destination> \
    [--provider <aws|gcloud|azure>] \
    [--parent <account/project>] \
    [-q|--quiet] \
    [--debug]
  ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/p0-cli/p0-commands-and-usage.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.