p0 Commands and Usage
p0 CLI Overview
A developer-focused overview of all p0 CLI commands. Use this as your launchpad—each section links to in-depth docs with examples, flags, and troubleshooting.
📥 p0 login
Bootstrap your local CLI with your organization’s credentials and config.
Purpose:
Launch browser SSO (Google, Okta, Ping, Microsoft, etc.)
Persist tokens & config under
~/.p0/(or$TMP/p0if you setP0_ORGenvironmental variable.)
Outcome:
Validated Org access
Ability to run
p0 request,p0 ssh,p0 aws, and more without re-authenticating
Key Flags:
p0 login <ORG_ID>P0_ORG=<ORG_ID> p0 login(env-var shortcut)
Remove all P0 CLI credentials, config files, and cached data from your system.
Purpose:
Delete saved identity/authentication tokens
Remove local configuration files (
~/.p0/config.json)Clear CLI session caches
Syntax:
p0 logout
Outcome:
Ensures no sensitive data persists after use
Requires a fresh
p0 loginbefore running other commands
Notes:
Recommended on shared systems, CI environments, or when rotating credentials.
All privileged CLI commands will prompt re-authentication after logout.
Just-in-time AWS EKS access and kubeconfig automation.
Purpose:
Request AWS EKS cluster access via p0
Automatically update your
~/.kube/configcontext
Key Flags:
--cluster <CLUSTER_ID>(registered in p0)--role <ClusterRole|CuratedRole|Role>--resource <Kind> / <Namespace> / <Name>--reason "<REASON>"--duration "<DURATION>"
🔓 p0 allow
Declare pre-approved access grants for p0 Request across multiple platforms.
Purpose:
Provision any access that you can request. This is for creating pre-approved access for another user for a period of time. You must be a valid approver for that person.
Apply policy guardrails and auto-revoke at expiry
Key Flags:
--to <principal>(user, service account, or group)--length <total duration>--duration <session TTL>Optional:
--start <timestamp>,--reason <text>
🎫 p0 grant
Issue ephemeral, just-in-time access requests for short-lived tasks.
Purpose:
Trigger provisioning workflows on demand
Optionally block (
--wait) until approval or denial
Key Flags:
--to <principal>--duration <duration>Optional:
--reason <text>,-w/--wait
🔍 p0 ls
Discover valid resource identifiers for grant, allow, ssh, and more.
Purpose:
List ARNs, roles, permission-sets, groups, SSH sessions, etc.
Mark items you already have (
*)
Key Flags:
p0 ls <integration> <subcommand> [filters]--size <N>(pagination)--json(raw output)
📂 p0 scp
Securely copy files using P0-provisioned SSH under the hood.
Purpose:
Drop-in replacement for
scpwith automatic access requests
Syntax:
p0 scp <src> <dest> [P0-options] -- [scp flags]Key Flags:
--provider <aws|gcloud|azure>--reason <text>--sudo--debug
Generate (or reuse) a P0-specific SSH key pair.
Purpose:
Create a 2048-bit RSA key under
~/.p0/ssh/with mode600Auto-invoked by
p0 ssh/scp, or run manually to pre-generate or rotate keys
Syntax:
p0 ssh-keygen
Expose P0’s SSH tunnel as a ProxyCommand for custom SSH configs.
Purpose:
Integrate P0’s managed tunnel (
aws ssm start-session,gcloud iap-tunnel, Azure) into~/.ssh/configReuse approved sessions across multiple SSH calls
Syntax:
p0 ssh-proxy <destination> \ --provider <aws|gcloud|azure> \ --port <22> \ -i <identityFile> \ --requestJson <path/to/request.json>
Resolves host names in the SSH command if they are accessible to you without manual approval.
Purpose:
Generate approved requests and credentials.
Perfect for automation, editor plugins, or CI pipelines
Syntax:
p0 ssh-resolve <destination> \ [--provider <aws|gcloud|azure>] \ [--parent <account/project>] \ [-q|--quiet] \ [--debug
Last updated