> For the complete documentation index, see [llms.txt](https://docs.p0.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-grant.md).

# p0 grant

### **Overview** <a href="#overview" id="overview"></a>

The p0 grant command lets you **request on behalf of another principal** for a principal (user, service account, or group) to a specific resource in your organization's platforms—AWS, Azure AD, GCP, Kubernetes, Okta, PostgreSQL, Snowflake, SSH, and Google Workspace.

Unlike p0 allow (which sets up standing access), p0 grant issues **ephemeral** access requests that:

1. **Trigger** the provisioning workflow in the target system
2. **Optionally wait** until the request is approved or denied
3. **Report** the outcome and exit with a status code

Use p0 grant when another user needs just-in-time access for troubleshooting, one-off tasks, short-lived sessions, or for NHI identities

***

### **Prerequisites** <a href="#prerequisites" id="prerequisites"></a>

* **Logged-in user**
* If you're not logged in or your token expired, p0 grant will prompt you to authenticate.
* **Tenant configuration**

  Confirm \~/.p0/config.json has the correct appUrl for your P0 tenant.
* **Network access**

  Ensure HTTPS egress to https\://\<your-tenant>/o/\<org-slug>/command/.

***

### **Syntax** <a href="#syntax" id="syntax"></a>

```plaintext
p0 grant <provider> <subcommand> [resource args…]
    --to <principal>
    --duration <duration>
    [--reason <text>]
    [-w|--wait]
    [--help]
```

* \<provider>

  One of:

```plaintext
aws, azure-ad, gcloud, k8s, okta, pg, snowflake, ssh, workspace
```

* \<subcommand> & resource args

  Vary by provider (see "Examples" or run p0 grant \<provider> --help)
* `--to <principal>`

  **Required.** Email or service-account identifier to receive access
* `--duration <duration>`

  The requested duration of access (e.g. `4 hours`, `1 day`)
* `--reason <text>`

  *(Optional)* Justification for audit logs
* `-w, --wait`

  *(Optional)* Block until the request is approved/denied (up to 5 minutes)
* `--help`

  Show provider-specific subcommands and options

**Duration formats:**

Human-friendly strings such as 10 minutes, 2 hours, 5 days, 1 week.

***

### **Supported Providers** <a href="#supported-providers" id="supported-providers"></a>

```plaintext
p0 grant aws        Amazon Web Services
p0 grant azure-ad   Entra ID
p0 grant gcloud     Google Cloud
p0 grant k8s        Kubernetes
p0 grant okta       Okta
p0 grant pg         PostgreSQL
p0 grant snowflake  Snowflake
p0 grant ssh        Secure Shell (SSH)
p0 grant workspace  Google Workspace
```

For detailed resource arguments per provider, append --help:

```plaintext
p0 grant aws --help
p0 grant gcloud --help
# …etc.
```

***

### **Examples** <a href="#examples" id="examples"></a>

#### **AWS: Ephemeral IAM Policy on a Resource** <a href="#aws-ephemeral-iam-policy-on-a-resource" id="aws-ephemeral-iam-policy-on-a-resource"></a>

```plaintext
p0 grant aws resource arn:aws:s3:::my-bucket/* ReadOnlyAccess \
  --account 123456789012 \
  --to alice@example.com \
  --duration '1 days'
```

* **Subcommand:** resource \<ARN> \<policy…>
* **Account:** AWS account ID
* **Outcome:** Alice can assume ReadOnlyAccess on my-bucket/\* for up to 1 day.

***

#### **GCP: One-Time IAM Role** <a href="#gcp-one-time-iam-role" id="gcp-one-time-iam-role"></a>

```plaintext
p0 grant gcloud role roles/viewer \
  --project my-gcp-project \
  --to bob@example.com \
  --duration '12 hours'
```

* **Subcommand:** role \<role-name>
* **Project:** GCP project ID
* **Outcome:** Bob gains the viewer role on my-gcp-project for 12 hours.

***

#### **SSH: Temporary Group Membership** <a href="#ssh-temporary-group-membership" id="ssh-temporary-group-membership"></a>

```plaintext
p0 grant ssh group --name devs \
  --to charlie@example.com \
  --duration '4 hours'
```

* **Subcommand:** group --name \<group-name>
* **Outcome:** Charlie is added to the SSH access group devs for 4 hours.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-grant.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.