# p0 aws permission-set assume ### Overview Assume an AWS permission set through AWS Identity Center (IDC) and obtain temporary AWS credentials. * Request just-in-time access to an AWS permission set (always creates a request). * Authenticate via AWS Identity Center OIDC to obtain temporary AWS credentials. * Output shell export commands for `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`. * Use command substitution to set credentials in your current shell session. * Credentials are cached locally for one hour to avoid repeated authentication. ### Prerequisites * **Logged-in user**: Run `p0 login ` first. * **AWS account configured**: P0 must be installed on the target AWS account with AWS Identity Center (IDC) login. * **Permission set assignment**: The requested permission set must be assigned to your user in AWS Identity Center. {% hint style="info" %} This command is only available for AWS accounts configured with **AWS Identity Center (IDC)**. The CLI automatically detects your account type and shows either `p0 aws permission-set` (for Identity Center) or `p0 aws role` (for Okta SAML federation) based on your configuration. Run `p0 aws --help` to see which subcommands are available for your account. {% endhint %} ### Syntax ``` p0 aws [options] permission-set assume ``` ### Arguments | Argument | Type | Required | Description | | ------------------ | ------ | -------- | --------------------------------- | | `` | string | Yes | AWS permission set name to assume | ### Options | Option | Type | Default | Description | | ----------------- | ------- | ------- | -------------------------------------------------------------------------- | | `--account ` | string | - | AWS account ID or alias. Required if P0 is installed on multiple accounts. | | `--reason ` | string | - | Justification for audit and approver context | | `--debug` | boolean | `false` | Print debug information | {% hint style="info" %} You can set `P0_AWS_ACCOUNT` environment variable instead of using `--account` for every command. {% endhint %} ### Output The command outputs shell export commands for AWS credentials: ```bash export AWS_ACCESS_KEY_ID=ASIA... export AWS_SECRET_ACCESS_KEY=... export AWS_SESSION_TOKEN=... export AWS_SECURITY_TOKEN=... ``` When run in an interactive terminal, the output includes usage instructions. When piped or used in scripts, only the export commands are printed. ### Examples #### Assume a permission set ```bash $(p0 aws permission-set assume AdministratorAccess --account 123456789012 --reason "Deploy hotfix") ``` Uses command substitution to set AWS credentials in your current shell. #### View credentials without setting them ```bash p0 aws permission-set assume ReadOnlyAccess --account 123456789012 ``` Prints the export commands without executing them. Copy and paste to set credentials manually. #### Use with AWS CLI ```bash $(p0 aws permission-set assume PowerUserAccess --account 123456789012) aws s3 ls ``` After assuming the permission set, run AWS CLI commands with the provisioned credentials. ### How it works 1. **P0 authentication**: Validates your P0 session (prompts for login if expired). 2. **Access request**: Creates a P0 access request and waits for approval and provisioning. 3. **AWS IDC client registration**: Registers the CLI as an OIDC client with AWS Identity Center (cached for 90 days). 4. **Device authorization**: Initiates AWS OIDC device authorization flow; opens browser for user consent. 5. **Token exchange**: Exchanges the OIDC token for AWS credentials for the specified account and permission set. 6. **Credential output**: Prints shell export commands for the AWS credentials. {% hint style="info" %} Credentials are valid for 1 hour. The command caches credentials locally to avoid repeated authentication within that period. {% endhint %} ### Error messages | Error | Cause | Solution | | ------------------------------------------------------------------------- | ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | | `Unexpected login type. Expected IDC to be enabled for account {account}` | AWS account uses Okta SAML federation instead of Identity Center | This account requires `p0 aws role assume`. Run `p0 aws --help` to see available commands for your account. | | `Could not find an AWS account ID for this access request` | Account ID not specified or not found | Specify the account with `--account ` | | `Timed out fetching AWS credentials. Try again...` | AWS credential exchange timed out after retries | Retry the command; if issue persists, contact | | `P0 is not installed on any AWS account` | No AWS accounts configured in P0 | Ask your P0 administrator to install the AWS integration | | `P0 is not installed on AWS account {account}` | Specified account not found | Verify the account ID or alias | | `Please select a unique AWS account with --account` | Multiple accounts configured | Specify which account with `--account` | | `Your request was denied` | P0 access request denied by approver | Contact your approver or request with a different reason | | `Your request did not complete within 5 minutes.` | Request approval timed out | Check your notification channel for approval status | ### Related commands * [p0 request](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-request) - Request access without assuming the permission set * [p0 login](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-login) - Authenticate with P0 * [p0 ls](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ls) - List available permission sets and resources ### Related documentation * [AWS integration](https://docs.p0.dev/integrations/resource-integrations/aws) - Configure P0 for AWS * [Requesting AWS access](https://docs.p0.dev/integrations/resource-integrations/aws/requesting-access) - Request types for AWS