search
Sign up for FreeKnowledge Base

p0 aws role assume

hashtag
Overview

Assume an AWS IAM role through Okta SAML federation and obtain temporary AWS credentials.

  • Request just-in-time access to an AWS role (enabled by default).

  • Authenticate via Okta SAML to obtain temporary AWS credentials.

  • Output shell export commands for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

  • Use command substitution to set credentials in your current shell session.

  • Credentials are cached locally for one hour to avoid repeated authentication.

hashtag
Prerequisites

  • Logged-in user: Run p0 login <org> first.

  • AWS account configured: P0 must be installed on the target AWS account with federated identity provider (Okta SAML) login.

  • Okta directory integration: Your organization must have an Okta directory integration installed.

  • Role assignment: Okta must assign the requested role to your user.

circle-info

This command is only available for AWS accounts configured with federated identity provider login via Okta SAML. The CLI automatically detects your account type and shows either p0 aws role (for Okta SAML federation) or p0 aws permission-set (for AWS Identity Center) based on your configuration. Run p0 aws --help to see which subcommands are available for your account.

hashtag
Syntax

p0 aws [options] role assume <role> [--request | --no-request]

hashtag
Arguments

Argument
Type
Required
Description

<role>

string

Yes

AWS IAM role name to assume

hashtag
Options

Option
Type
Default
Description

--account <id>

string

-

AWS account ID or alias. Required if P0 runs on many accounts.

--reason <text>

string

-

Justification for audit and approver context

--request

boolean

true

Create a P0 access request before assuming the role

--no-request

boolean

-

Skip the access request (use existing access)

--debug

boolean

false

Print debug information

circle-info

You can set P0_AWS_ACCOUNT environment variable instead of using --account for every command.

hashtag
Output

The command outputs shell export commands for AWS credentials:

When run in an interactive terminal, the output includes usage instructions. When piped or used in scripts, only the export commands are printed.

hashtag
Examples

hashtag
Assume a role with automatic access request

Uses command substitution to set AWS credentials in your current shell.

hashtag
Assume a role without creating a new request

Skip the P0 request if you already have active access to the role.

hashtag
View credentials without setting them

Prints the export commands without executing them. Copy and paste to set credentials manually.

hashtag
Use with AWS CLI

After assuming the role, run AWS CLI commands with the provisioned credentials.

hashtag
How it works

  1. P0 authentication: Validates your P0 session (prompts for login if expired).

  2. Access request (if --request): Creates a P0 access request and waits up to 5 minutes for approval and provisioning.

  3. Okta token exchange: Exchanges your OIDC tokens for an Okta Web SSO token.

  4. SAML assertion: Retrieves a SAML assertion from Okta containing your role assignments.

  5. AWS STS: Calls AWS AssumeRoleWithSAML to obtain temporary credentials.

  6. Credential output: Prints shell export commands for the AWS credentials.

circle-info

Credentials are valid for 1 hour. The command caches credentials locally to avoid repeated authentication within that period.

hashtag
Error messages

Error
Cause
Solution

Account {label} is not configured for Okta SAML login.

AWS account uses Identity Center (IDC) instead of Okta SAML federation

This account requires p0 aws permission-set assume. Re-run p0 aws --help to see available commands for your account.

Role {role} not available. Available roles: ...

Role not assigned to your user in Okta

Contact your administrator to assign the role, or request access first

P0 is not installed on any AWS account

No AWS accounts configured in P0

Ask your P0 administrator to install the AWS integration

P0 is not installed on AWS account {account}

Specified account not found

Verify the account ID or alias

Please select a unique AWS account with --account

Multiple accounts configured

Specify which account with --account

Your Okta session has expired.

Okta tokens expired

Log out of Okta in your browser and run the command again

Your request was denied

P0 access request denied by approver

Contact your approver or request with a different reason

Your request did not complete within 5 minutes.

Request approval timed out

Check your notification channel for approval status

hashtag
Related commands

  • p0 request - Request access without assuming the role

  • p0 login - Authenticate with P0

  • p0 ls - List available roles and resources

hashtag
Related documentation

Previousp0 requestNextp0 aws permission-set assume

Last updated