p0 allow
Overview
The p0 allow command lets you declare pre-approved access for principals (users, service accounts, groups) across your organization’s platforms AWS, GCP, Kubernetes, Okta, PostgreSQL, Snowflake, SSH, and Google Workspace so that when a user requests access, it’s automatically granted for the specified duration without manual approval.
Use p0 allow to onboard team members, set up long-lived service roles, or delegate cross-platform access with full visibility.
Prerequisites
Logged-in user
Be an approver of the request being created
p0 login <organization-slug>Network access
Allow HTTPS to https://<your-tenant>/o/<org-slug>/command/.
Syntax
p0 allow <provider> <subcommand> [resource args…]
--to <principal>
--length <duration>
--requested-duration <duration>
[--start <timestamp>]
[--reason <text>]
[--wait]<provider>
awsazure-adgcloudk8soktapgsnowflakesshworkspace
<subcommand> & resource args
Provider-specific (see Examples below or run p0 allow <provider> --help)
--to <principal>
Email or identifier (e.g. [email protected])
--length <duration>
How long the standing access exists (e.g. 1 month)
--requested-duration <duration>
Maximum TTL per individual request (e.g. 4 hours)
--start <timestamp> (optional)
When the grant should begin (ISO 8601 or common date formats)
--reason <text> (optional)
Justification for audit logs and provide the approver with justification for request.
--wait / -w (optional)
Block until provisioning completes
Global Flags
Flag
Alias
Type
Description
--to <principal>
string
Required. Principal to grant (user, service account, or group)
--length <duration>
string
Required. Total duration of the standing grant (e.g. 2 weeks, 5 days)
--requested-duration <dur>
string
Required. TTL for each individual session (e.g. 6 hours, 30 minutes)
--start <timestamp>
string
(Optional) Grant start time (e.g. 2025-05-01T09:00:00Z, 06/01/2025)
--reason <text>
string
(Optional) Why this access is needed
--help
boolean
Show provider-specific usage and subcommands
Durations accept human-friendly strings:
10 minutes, 2 hours, 5 days, 1 week, 1 month
Supported Providers
AWS (p0 allow aws …)
Azure AD (p0 allow azure-ad …)
GCP (p0 allow gcloud …)
Kubernetes (p0 allow k8s …)
Okta (p0 allow okta …)
PostgreSQL (p0 allow pg …)
Snowflake (p0 allow snowflake …)
SSH (p0 allow ssh …)
Workspace (p0 allow workspace …)
For the full list of subcommands and resource arguments, append --help after the provider:
p0 allow aws --help
p0 allow gcloud --help
# …etc.Examples
1. AWS: Grant IAM Policy on a Resource
p0 allow aws resource arn:aws:s3:::my-bucket/* ReadOnlyAccess \
--account 123456789012 \
--to [email protected] \
--start 04/30/2025 \
--length '1 month' \
--requested-duration '1 days'Subcommand: resource <ARN> <policy…>
Account: AWS account ID
Outcome: Alice gets Read-Only access to all objects in my-bucket for one month, each session up to one day.
2. GCP: Grant an IAM Role
p0 allow gcloud role roles/viewer \
--project my-gcp-project \
--to [email protected] \
--start 04/30/2025 \
--length '2 weeks' \
--requested-duration '12 hours'Subcommand: role <role-name>
Project: GCP project ID
Outcome: Bob receives the viewer role on my-gcp-project for two weeks, sessions lasting up to 12 hours.
3. SSH: Add to an Access Group
p0 allow ssh group --name devs \
--to [email protected] \
--start 04/30/2025 \
--length '1 week' \
--requested-duration '4 hours'Subcommand: group --name <group-name>
Outcome: Charlie is added to the SSH access group devs for one week, each session up to four hours.
Last updated