# p0 aws permission-set assume

### Overview

Assume an AWS permission set through AWS Identity Center (IDC) and obtain temporary AWS credentials.

* Request just-in-time access to an AWS permission set (always creates a request).
* Authenticate via AWS Identity Center OIDC to obtain temporary AWS credentials.
* Output shell export commands for `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
* Use command substitution to set credentials in your current shell session.
* Credentials are cached locally for one hour to avoid repeated authentication.

### Prerequisites

* **Logged-in user**: Run `p0 login <org>` first.
* **AWS account configured**: P0 must be installed on the target AWS account with AWS Identity Center (IDC) login.
* **Permission set assignment**: The requested permission set must be assigned to your user in AWS Identity Center.

{% hint style="info" %}
This command is only available for AWS accounts configured with **AWS Identity Center (IDC)**. The CLI automatically detects your account type and shows either `p0 aws permission-set` (for Identity Center) or `p0 aws role` (for Okta SAML federation) based on your configuration. Run `p0 aws --help` to see which subcommands are available for your account.
{% endhint %}

### Syntax

```
p0 aws [options] permission-set assume <permission-set>
```

### Arguments

| Argument           | Type   | Required | Description                       |
| ------------------ | ------ | -------- | --------------------------------- |
| `<permission-set>` | string | Yes      | AWS permission set name to assume |

### Options

| Option            | Type    | Default | Description                                                                |
| ----------------- | ------- | ------- | -------------------------------------------------------------------------- |
| `--account <id>`  | string  | -       | AWS account ID or alias. Required if P0 is installed on multiple accounts. |
| `--reason <text>` | string  | -       | Justification for audit and approver context                               |
| `--debug`         | boolean | `false` | Print debug information                                                    |

{% hint style="info" %}
You can set `P0_AWS_ACCOUNT` environment variable instead of using `--account` for every command.
{% endhint %}

### Output

The command outputs shell export commands for AWS credentials:

```bash
export AWS_ACCESS_KEY_ID=ASIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
export AWS_SECURITY_TOKEN=...
```

When run in an interactive terminal, the output includes usage instructions. When piped or used in scripts, only the export commands are printed.

### Examples

#### Assume a permission set

```bash
$(p0 aws permission-set assume AdministratorAccess --account 123456789012 --reason "Deploy hotfix")
```

Uses command substitution to set AWS credentials in your current shell.

#### View credentials without setting them

```bash
p0 aws permission-set assume ReadOnlyAccess --account 123456789012
```

Prints the export commands without executing them. Copy and paste to set credentials manually.

#### Use with AWS CLI

```bash
$(p0 aws permission-set assume PowerUserAccess --account 123456789012)
aws s3 ls
```

After assuming the permission set, run AWS CLI commands with the provisioned credentials.

### How it works

1. **P0 authentication**: Validates your P0 session (prompts for login if expired).
2. **Access request**: Creates a P0 access request and waits for approval and provisioning.
3. **AWS IDC client registration**: Registers the CLI as an OIDC client with AWS Identity Center (cached for 90 days).
4. **Device authorization**: Initiates AWS OIDC device authorization flow; opens browser for user consent.
5. **Token exchange**: Exchanges the OIDC token for AWS credentials for the specified account and permission set.
6. **Credential output**: Prints shell export commands for the AWS credentials.

{% hint style="info" %}
Credentials are valid for 1 hour. The command caches credentials locally to avoid repeated authentication within that period.
{% endhint %}

### Error messages

| Error                                                                     | Cause                                                            | Solution                                                                                                    |
| ------------------------------------------------------------------------- | ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| `Unexpected login type. Expected IDC to be enabled for account {account}` | AWS account uses Okta SAML federation instead of Identity Center | This account requires `p0 aws role assume`. Run `p0 aws --help` to see available commands for your account. |
| `Could not find an AWS account ID for this access request`                | Account ID not specified or not found                            | Specify the account with `--account <id>`                                                                   |
| `Timed out fetching AWS credentials. Try again...`                        | AWS credential exchange timed out after retries                  | Retry the command; if issue persists, contact <support@p0.dev>                                              |
| `P0 is not installed on any AWS account`                                  | No AWS accounts configured in P0                                 | Ask your P0 administrator to install the AWS integration                                                    |
| `P0 is not installed on AWS account {account}`                            | Specified account not found                                      | Verify the account ID or alias                                                                              |
| `Please select a unique AWS account with --account`                       | Multiple accounts configured                                     | Specify which account with `--account`                                                                      |
| `Your request was denied`                                                 | P0 access request denied by approver                             | Contact your approver or request with a different reason                                                    |
| `Your request did not complete within 5 minutes.`                         | Request approval timed out                                       | Check your notification channel for approval status                                                         |

### Related commands

* [p0 request](/p0-cli/p0-commands-and-usage/p0-request.md) - Request access without assuming the permission set
* [p0 login](/p0-cli/p0-commands-and-usage/p0-login.md) - Authenticate with P0
* [p0 ls](/p0-cli/p0-commands-and-usage/p0-ls.md) - List available permission sets and resources

### Related documentation

* [AWS integration](/integrations/resource-integrations/aws.md) - Configure P0 for AWS
* [Requesting AWS access](/integrations/resource-integrations/aws/requesting-access.md) - Request types for AWS


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-aws-permission-set-assume.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.