# p0 ls ### **Overview** The p0 ls command lets you **discover** which resources and arguments you can use with P0's request (grant/request) and standing-access (allow) workflows. It: * Lists valid identifiers (ARNs, role names, group IDs, etc.) * Marks items you **already have access** to with \* * Supports filtering and paging * Outputs either human-readable lists or raw JSON Use p0 ls to eliminate guesswork when constructing p0 grant or p0 allow commands. *** ### **Prerequisites** * **Logged-in user** * **Network access** Allow HTTPS egress to https\://\/o/\/command/. *** ### **Global Syntax & Flags** ```plaintext p0 ls [integration] [subcommand…] [--size N] [--json] ``` * **\[integration]**: example would be aws, azure-ad, gcloud, k8s, okta, pg, snowflake, ssh, workspace and more. * **\[subcommand…]**: provider-specific resource filters (see below). * **--size N**: how many items to **display** (default: 15). Internally fetches 2×N to detect truncation. * **--json**: print the **full JSON** response and exit. * **--help**: show global or provider-specific help. *** ### **Providers & Subcommands** Run p0 ls \ --help for the exact list; here's what each supports: #### **AWS** * **permission-set** \ List AWS IAM Identity Center (SSO) permission sets matching role when using a federated identity. * **policy** \ List AWS IAM policies by ARN filter. * **resource** \ \ List which policies can attach to a given AWS resource ARN. **Examples** ```plaintext # Find permission sets containing "ReadOnly" p0 ls aws permission-set ReadOnly # List policies that match the AmazonS3* managed policies p0 ls aws policy arn:aws:iam::aws:policy/AmazonS3* # Show attachable policies for a bucket p0 ls aws resource arn:aws:s3:::my-bucket ReadOnlyAccess ``` *** #### **Azure AD (Entra ID)** * **membership** \[groupId] List group memberships; if groupId is supplied, list members of that group. **Examples** ```plaintext # List all groups you could request membership in p0 ls azure-ad membership # List members of a specific group p0 ls azure-ad membership 12345-abcde-67890 ``` *** #### **Google Cloud (GCP)** * **resource** \ \ List available accesses (e.g., roles, permissions) for a GCP resource locator (project, folder, etc.). * **role** \ List IAM roles matching name filters. * **permission** \ List IAM permissions matching name filters. **Examples** ```plaintext # List predefined roles containing "viewer" p0 ls gcloud role viewer # List permissions containing "compute.instances.get" p0 ls gcloud permission compute.instances.get # Show which role grants apply to a specific project p0 ls gcloud resource my-gcp-project roles ``` *** #### **Kubernetes** * **resource** List Kubernetes resource types you can request or allow (e.g., pods, deployments, clusterroles). **Examples** ```plaintext # Show top-level k8s resource types p0 ls k8s resource ``` *** #### **Okta** * **membership** \[groupId] List Okta groups or, if groupId is given, the members of that group. **Examples** ```plaintext # List all Okta groups available to you p0 ls okta membership # List members of the "Support" group p0 ls okta membership 00g1abcd2EFGHijK3l4 ``` *** #### **PostgreSQL** * **role** \ List PostgreSQL roles matching provided names. * **sql** \ Infer required permissions by parsing a SQL statement or script. **Examples** ```plaintext # List all database roles that match "read" p0 ls pg role read # See which permissions a SQL query would need p0 ls pg sql "SELECT * FROM users;" ``` *** #### **Snowflake** * **role** \ List Snowflake roles matching \. * **sql** \ Infer required permissions by parsing a SQL statement or script. **Examples** ```plaintext # List Snowflake roles containing "ANALYST" p0 ls snowflake role ANALYST # Determine grants needed for a query p0 ls snowflake sql "SELECT COUNT(*) FROM orders;" ``` *** #### **SSH** * **session** \ List SSH session instances (target host keys, Bastion details) matching \. * **parent** \ List all SSH resources that a given parent (user or group) can access. * **group** List SSH access groups. Group is the tag value matching the tag key specificed when install the SSH integration. **Examples** ```plaintext # List all SSH groups p0 ls ssh group # Show sessions matching "prod-web" p0 ls ssh session prod-web # List all instances accessible by group "devs" p0 ls ssh parent devs ``` *** #### **Google Workspace** * **membership** \[groupId] List Workspace groups or, if groupId is provided, the members of that group. **Examples** ```plaintext # List all Google Workspace groups p0 ls workspace membership # List users in a specific Workspace group p0 ls workspace membership team-marketing@example.com ``` *** ### **Output Details** * **Human mode** * Marks items you already have (isPreexisting) with \*. * Shows "Showing the first N…" and suggests filters if truncated. * Aligns key and value columns; long entries wrap with dimmed metadata. * **JSON mode** Outputs: ```plaintext { "ok": true, "items": [ { "key": "...", "value": "...", "group": "...", "isPreexisting": true }, … ], "isTruncated": false, "term": "", "arg": "" } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.