# p0 Commands and Usage

## p0 CLI Overview

A developer-focused overview of all p0 CLI commands. Use this as your launchpad—each section links to in-depth docs with examples, flags, and troubleshooting.

***

### 📥 [p0 login](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-login)

Bootstrap your local CLI with your organization's credentials and config.

{% hint style="info" %}
If you run any command it will run this command if you are not logged in.
{% endhint %}

* **Purpose:**
  * Launch browser SSO (Google, Okta, Ping, Microsoft, etc.)
  * Persist tokens & config under `~/.p0/` (or `$TMP/p0` if you set the `P0_ORG` environment variable)
* **Outcome:**
  * Validated Org access
  * Ability to run `p0 request`, `p0 ssh`, `p0 aws`, and more without re-authenticating
* **Key Flags:**
  * `p0 login <ORG_ID>`
  * `P0_ORG=<ORG_ID> p0 login` (for [multi-organization access](https://docs.p0.dev/integrations/resource-integrations/ssh#multi-organization-ssh-access) or env var shortcut)

***

### 🚪 [p0 logout](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-logout)

Remove all P0 CLI credentials, config files, and cached data from your system.

* **Purpose:**
  * Delete saved identity/authentication tokens
  * Remove local configuration files (`~/.p0/config.json`)
  * Clear CLI session caches
* **Syntax:**

  ```bash
  p0 logout
  ```

**Outcome:**

* Ensures no sensitive data persists after use
* Requires a fresh `p0 login` before running other commands

**Notes:**

* Recommended on shared systems, CI environments, or when rotating credentials.
* All privileged CLI commands will prompt re-authentication after logout.

### ☁️ [p0 aws role assume](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-aws-role-assume)

Assume AWS IAM roles through Okta SAML federation.

* **Purpose:**
  * Obtain temporary AWS credentials via just-in-time access
  * Authenticate through Okta SAML to assume IAM roles
  * Output shell export commands for AWS CLI usage
* **Key Flags:**
  * `--account <id>` (AWS account ID or alias)
  * `--reason <text>` (justification for audit)
  * `--no-request` (skip access request if you have existing access)
* **Syntax:**

  ```bash
  $(p0 aws role assume MyRole --account 123456789012)
  ```

***

### ☁️ [p0 aws permission-set assume](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-aws-permission-set-assume)

Assume AWS permission sets through AWS Identity Center (IDC).

* **Purpose:**
  * Obtain temporary AWS credentials via just-in-time access
  * Authenticate through AWS Identity Center to assume permission sets
  * Output shell export commands for AWS CLI usage
* **Key Flags:**
  * `--account <id>` (AWS account ID or alias)
  * `--reason <text>` (justification for audit)
* **Syntax:**

  ```bash
  $(p0 aws permission-set assume AdministratorAccess --account 123456789012)
  ```

{% hint style="info" %}
The CLI shows either `p0 aws role` or `p0 aws permission-set` based on your AWS account configuration. Run `p0 aws --help` to see which is available.
{% endhint %}

***

### ☸️ [p0 kubeconfig](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-kubeconfig)

Just-in-time AWS EKS access and kubeconfig automation.

* **Purpose:**
  * Request AWS EKS cluster access via p0
  * Automatically update your `~/.kube/config` context
* **Key Flags:**
  * `--cluster <CLUSTER_ID>` (registered in p0)
  * `--role <ClusterRole|CuratedRole|Role>`
  * `--resource <Kind> / <Namespace> / <Name>`
  * `--reason "<REASON>"`
  * `--duration "<DURATION>"`

***

### 🔓 [p0 allow](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-allow)

Declare pre-approved access grants for `p0 Request` across multiple platforms.

* **Purpose:**
  * Provision any access that you can request. This is for creating pre-approved access for another user for a period of time. You must be a valid approver for that person.
  * Apply policy guardrails and auto-revoke at expiry
* **Key Flags:**
  * `--to <principal>` (user, service account, or group)
  * `--length <total duration>`
  * `--duration <session TTL>`
  * Optional: `--start <timestamp>`, `--reason <text>`

***

### 🎫 [p0 grant](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-grant)

Issue ephemeral, just-in-time access requests for short-lived tasks.

* **Purpose:**
  * Trigger provisioning workflows on demand
  * Optionally block (`--wait`) until approval or denial
* **Key Flags:**
  * `--to <principal>`
  * `--duration <duration>`
  * Optional: `--reason <text>`, `-w/--wait`

***

### 🔍 [p0 ls](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ls)

Discover valid resource identifiers for `grant`, `allow`, `ssh`, and more.

* **Purpose:**
  * List ARNs, roles, permission-sets, groups, SSH sessions, etc.
  * Mark items you already have (`*`)
* **Key Flags:**
  * `p0 ls <integration> <subcommand> [filters]`
  * `--size <N>` (pagination)
  * `--json` (raw output)

***

### 📂 [p0 scp](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-scp)

Securely copy files using P0-provisioned SSH under the hood.

* **Purpose:**
  * Drop-in replacement for `scp` with automatic access requests
* **Syntax:**

  ```bash
  p0 scp <src> <dest> [P0-options] -- [scp flags]
  ```
* **Key Flags:**
  * `--provider <aws|gcloud|azure>`
  * `--reason <text>`
  * `--sudo`
  * `--debug`

***

### 🔑 [p0 ssh-keygen](https://github.com/p0-security/p0-docs/blob/main/p0-cli/p0-commands-and-usage/broken-reference/README.md)

Generate (or reuse) a P0-specific SSH key pair.

* **Purpose:**
  * Create a 2048-bit RSA key under `~/.p0/ssh/` with mode `600`
  * Auto-invoked by `p0 ssh`/`scp`, or run manually to pre-generate or rotate keys
* **Syntax:**

  ```bash
  p0 ssh-keygen
  ```

***

### 🔌 [p0 ssh-proxy](https://github.com/p0-security/p0-docs/blob/main/p0-cli/p0-commands-and-usage/broken-reference/README.md)

Expose P0's SSH tunnel as a ProxyCommand for custom SSH configs.

{% hint style="info" %}
This is not for direct usage via CLI but through other CLI commands.
{% endhint %}

* **Purpose:**
  * Integrate P0's managed tunnel (`aws ssm start-session`, `gcloud iap-tunnel`, Azure) into `~/.ssh/config`
  * Reuse approved sessions across multiple SSH calls
* **Syntax:**

  ```bash
  p0 ssh-proxy <destination> \
    --provider <aws|gcloud|azure> \
    --port <22> \
    -i <identityFile> \
    --request-json <path/to/request.json> \
    [--org <org-id>]
  ```

***

### 📑 [p0 ssh-resolve](https://docs.p0.dev/p0-cli/troubleshooting/p0-ssh-resolve)

Resolves host names in the SSH command if they are accessible to you without manual approval.

{% hint style="info" %}
This is not for direct execution, and is used by ssh config file!
{% endhint %}

* **Purpose:**
  * Generate approved requests and credentials.
  * Perfect for automation, editor plugins, or CI pipelines
* **Syntax:**

  ```bash
  p0 ssh-resolve <destination> \
    [--provider <aws|gcloud|azure>] \
    [--parent <account/project>] \
    [-q|--quiet] \
    [--debug]
  ```