p0 ls

Overview

The p0 ls command lets you discover which resources and arguments you can use with P0’s request (grant/request) and standing-access (allow) workflows. It:

Lists valid identifiers (ARNs, role names, group IDs, etc.)
Marks items you already have access to with *
Supports filtering and paging
Outputs either human-readable lists or raw JSON

Use p0 ls to eliminate guesswork when constructing p0 grant or p0 allow commands.

Prerequisites

Logged-in user
Network access
Allow HTTPS egress to https://<your-tenant>/o/<org-slug>/command/.

Global Syntax & Flags

p0 ls [integration] [subcommand…] [--size N] [--json]

[integration]: example would be aws, azure-ad, gcloud, k8s, okta, pg, snowflake, ssh, workspace and more.
[subcommand…]: provider-specific resource filters (see below).
--size N: how many items to display (default: 15). Internally fetches 2×N to detect truncation.
--json: print the full JSON response and exit.
--help: show global or provider-specific help.

Providers & Subcommands

Run p0 ls <provider> --help for the exact list; here’s what each supports:

AWS

permission-set <name>
List AWS IAM Identity Center (SSO) permission sets matching role when using a federated identity.
policy <arns…>
List AWS IAM policies by ARN filter.
resource <arn> <policies…>
List which policies can attach to a given AWS resource ARN.

Examples

# Find permission sets containing "ReadOnly"
p0 ls aws permission-set ReadOnly

# List policies that match the AmazonS3* managed policies
p0 ls aws policy arn:aws:iam::aws:policy/AmazonS3*

# Show attachable policies for a bucket
p0 ls aws resource arn:aws:s3:::my-bucket ReadOnlyAccess

Azure AD (Entra ID)

membership [groupId]
List group memberships; if groupId is supplied, list members of that group.

Examples

# List all groups you could request membership in
p0 ls azure-ad membership

# List members of a specific group
p0 ls azure-ad membership 12345-abcde-67890

Google Cloud (GCP)

resource <locator> <accesses…>
List available accesses (e.g., roles, permissions) for a GCP resource locator (project, folder, etc.).
role <name…>
List IAM roles matching name filters.
permission <name…>
List IAM permissions matching name filters.

Examples

# List predefined roles containing "viewer"
p0 ls gcloud role viewer

# List permissions containing "compute.instances.get"
p0 ls gcloud permission compute.instances.get

# Show which role grants apply to a specific project
p0 ls gcloud resource my-gcp-project roles

Kubernetes

resource
List Kubernetes resource types you can request or allow (e.g., pods, deployments, clusterroles).

Examples

# Show top-level k8s resource types
p0 ls k8s resource

Okta

membership [groupId]
List Okta groups or, if groupId is given, the members of that group.

Examples

# List all Okta groups available to you
p0 ls okta membership

# List members of the "Support" group
p0 ls okta membership 00g1abcd2EFGHijK3l4

PostgreSQL

role <roles…>
List PostgreSQL roles matching provided names.
sql <text>
Infer required permissions by parsing a SQL statement or script.

Examples

# List all database roles that match "read"
p0 ls pg role read

# See which permissions a SQL query would need
p0 ls pg sql "SELECT * FROM users;"

Snowflake

role <name>
List Snowflake roles matching <name>.
sql <text>
Infer required permissions by parsing a SQL statement or script.

Examples

# List Snowflake roles containing "ANALYST"
p0 ls snowflake role ANALYST

# Determine grants needed for a query
p0 ls snowflake sql "SELECT COUNT(*) FROM orders;"

SSH

session <destination>
List SSH session instances (target host keys, Bastion details) matching <destination>.
parent <parent>
List all SSH resources that a given parent (user or group) can access.
group
List SSH access groups. Group is the tag value matching the tag key specificed when install the SSH integration.

Examples

# List all SSH groups
p0 ls ssh group

# Show sessions matching "prod-web"
p0 ls ssh session prod-web

# List all instances accessible by group "devs"
p0 ls ssh parent devs

Google Workspace

membership [groupId]
List Workspace groups or, if groupId is provided, the members of that group.

Examples

# List all Google Workspace groups
p0 ls workspace membership

# List users in a specific Workspace group
p0 ls workspace membership [email protected]

Output Details

Human mode
- Marks items you already have (isPreexisting) with *.
- Shows “Showing the first N…” and suggests filters if truncated.
- Aligns key and value columns; long entries wrap with dimmed metadata.
JSON mode
Outputs:

{
  "ok": true,
  "items": [
    { "key": "...", "value": "...", "group": "...", "isPreexisting": true },
    …
  ],
  "isTruncated": false,
  "term": "",
  "arg": "<subcommand>"
}

Previousp0 request Nextp0 allow

Last updated 1 month ago