Sign up for FreeKnowledge Base

p0 allow

Overview

The p0 allow command lets you declare pre-approved access for principals (users, service accounts, groups) across your organization’s platforms AWS, GCP, Kubernetes, Okta, PostgreSQL, Snowflake, SSH, and Google Workspace so that when a user requests access, it’s automatically granted for the specified duration without manual approval.

Use p0 allow to onboard team members, set up long-lived service roles, or delegate cross-platform access with full visibility.

Prerequisites

  • Logged-in user

  • Be an approver of the request being created

p0 login <organization-slug>

  • Network access

    Allow HTTPS to https://<your-tenant>/o/<org-slug>/command/.

Syntax

p0 allow <provider> <subcommand> [resource args…]
    --to <principal>
    --length <duration>
    [--start <timestamp>]
    [--reason <text>]
    [--wait]

  • <provider>

    • aws

    • azure-ad

    • gcloud

    • k8s

    • okta

    • pg

    • snowflake

    • ssh

    • workspace

  • <subcommand> & resource args

    Provider-specific (see Examples below or run p0 allow <provider> --help)

  • --to <principal>

    Email or identifier (e.g. [email protected])

  • --length <duration>

    How long the standing access exists (e.g. 1 month)

  • --start <timestamp> (optional)

    When the grant should begin (ISO 8601 or common date formats)

  • --reason <text> (optional)

    Justification for audit logs and provide the approver with justification for request.

  • --wait / -w (optional)

    Block until provisioning completes

Global Flags

Flag

Alias

Type

Description

--to <principal>

string

Required. Principal to grant (user, service account, or group)

--length <duration>

string

Required. Total duration of the standing grant (e.g. 2 weeks, 5 days)

--start <timestamp>

string

(Optional) Grant start time (e.g. 2025-05-01T09:00:00Z, 06/01/2025)

--reason <text>

string

(Optional) Why this access is needed

--help

boolean

Show provider-specific usage and subcommands

Durations accept human-friendly strings:

10 minutes, 2 hours, 5 days, 1 week, 1 month

Supported Providers

  • AWS (p0 allow aws …)

  • Azure AD (p0 allow azure-ad …)

  • GCP (p0 allow gcloud …)

  • Kubernetes (p0 allow k8s …)

  • Okta (p0 allow okta …)

  • PostgreSQL (p0 allow pg …)

  • Snowflake (p0 allow snowflake …)

  • SSH (p0 allow ssh …)

  • Workspace (p0 allow workspace …)

For the full list of subcommands and resource arguments, append --help after the provider:

p0 allow aws --help
p0 allow gcloud --help
# …etc.

Examples

1. AWS: Grant IAM Policy on a Resource

p0 allow aws resource arn:aws:s3:::my-bucket/* ReadOnlyAccess \
  --account 123456789012 \
  --to [email protected] \
  --start 04/30/2025 \
  --length '1 month' \
  --requested-duration '1 days'

  • Subcommand: resource <ARN> <policy…>

  • Account: AWS account ID

  • Outcome: Alice gets Read-Only access to all objects in my-bucket for one month, each session up to one day.

2. GCP: Grant an IAM Role

p0 allow gcloud role roles/viewer \
  --project my-gcp-project \
  --to [email protected] \
  --start 04/30/2025 \
  --length '2 weeks' \
  --requested-duration '12 hours'

  • Subcommand: role <role-name>

  • Project: GCP project ID

  • Outcome: Bob receives the viewer role on my-gcp-project for 2 weeks, sessions lasting up to 12 hours.

3. SSH: Add to an Access Group

p0 allow ssh group --name devs \
  --to [email protected] \
  --start 04/30/2025 \
  --length '1 week' \
  --requested-duration '4 hours'

  • Subcommand: group --name <group-name>

  • Outcome: Charlie is added to the SSH access group devs for 1 week, each session up to 4 hours.

Previousp0 lsNextp0 grant

Last updated