# p0 ls

### **Overview** <a href="#overview" id="overview"></a>

The p0 ls command lets you **discover** which resources and arguments you can use with P0's request (grant/request) and standing-access (allow) workflows. It:

* Lists valid identifiers (ARNs, role names, group IDs, etc.)
* Marks items you **already have access** to with \*
* Supports filtering and paging
* Outputs either human-readable lists or raw JSON

Use p0 ls to eliminate guesswork when constructing p0 grant or p0 allow commands.

***

### **Prerequisites** <a href="#prerequisites" id="prerequisites"></a>

* **Logged-in user**
* **Network access**

  Allow HTTPS egress to https\://\<your-tenant>/o/\<org-slug>/command/.

***

### **Global Syntax & Flags** <a href="#global-syntax-and-flags" id="global-syntax-and-flags"></a>

```plaintext
p0 ls [integration] [subcommand…] [--size N] [--json]
```

* **\[integration]**: example would be aws, azure-ad, gcloud, k8s, okta, pg, snowflake, ssh, workspace and more.
* **\[subcommand…]**: provider-specific resource filters (see below).
* **--size N**: how many items to **display** (default: 15). Internally fetches 2×N to detect truncation.
* **--json**: print the **full JSON** response and exit.
* **--help**: show global or provider-specific help.

***

### **Providers & Subcommands** <a href="#providers-and-subcommands" id="providers-and-subcommands"></a>

Run p0 ls \<provider> --help for the exact list; here's what each supports:

#### **AWS** <a href="#aws" id="aws"></a>

* **permission-set** \<name>

  List AWS IAM Identity Center (SSO) permission sets matching role when using a federated identity.
* **policy** \<arns…>

  List AWS IAM policies by ARN filter.
* **resource** \<arn> \<policies…>

  List which policies can attach to a given AWS resource ARN.

**Examples**

```plaintext
# Find permission sets containing "ReadOnly"
p0 ls aws permission-set ReadOnly

# List policies that match the AmazonS3* managed policies
p0 ls aws policy arn:aws:iam::aws:policy/AmazonS3*

# Show attachable policies for a bucket
p0 ls aws resource arn:aws:s3:::my-bucket ReadOnlyAccess
```

***

#### **Azure AD (Entra ID)** <a href="#azure-a-d-entra-id" id="azure-a-d-entra-id"></a>

* **membership** \[groupId]

  List group memberships; if groupId is supplied, list members of that group.

**Examples**

```plaintext
# List all groups you could request membership in
p0 ls azure-ad membership

# List members of a specific group
p0 ls azure-ad membership 12345-abcde-67890
```

***

#### **Google Cloud (GCP)** <a href="#google-cloud-gcp" id="google-cloud-gcp"></a>

* **resource** \<locator> \<accesses…>

  List available accesses (e.g., roles, permissions) for a GCP resource locator (project, folder, etc.).
* **role** \<name…>

  List IAM roles matching name filters.
* **permission** \<name…>

  List IAM permissions matching name filters.

**Examples**

```plaintext
# List predefined roles containing "viewer"
p0 ls gcloud role viewer

# List permissions containing "compute.instances.get"
p0 ls gcloud permission compute.instances.get

# Show which role grants apply to a specific project
p0 ls gcloud resource my-gcp-project roles
```

***

#### **Kubernetes** <a href="#kubernetes" id="kubernetes"></a>

* **resource**

  List Kubernetes resource types you can request or allow (e.g., pods, deployments, clusterroles).

**Examples**

```plaintext
# Show top-level k8s resource types
p0 ls k8s resource
```

***

#### **Okta** <a href="#okta" id="okta"></a>

* **membership** \[groupId]

  List Okta groups or, if groupId is given, the members of that group.

**Examples**

```plaintext
# List all Okta groups available to you
p0 ls okta membership

# List members of the "Support" group
p0 ls okta membership 00g1abcd2EFGHijK3l4
```

***

#### **PostgreSQL** <a href="#postgresql" id="postgresql"></a>

* **role** \<roles…>

  List PostgreSQL roles matching provided names.
* **sql** \<text>

  Infer required permissions by parsing a SQL statement or script.

**Examples**

```plaintext
# List all database roles that match "read"
p0 ls pg role read

# See which permissions a SQL query would need
p0 ls pg sql "SELECT * FROM users;"
```

***

#### **Snowflake** <a href="#snowflake" id="snowflake"></a>

* **role** \<name>

  List Snowflake roles matching \<name>.
* **sql** \<text>

  Infer required permissions by parsing a SQL statement or script.

**Examples**

```plaintext
# List Snowflake roles containing "ANALYST"
p0 ls snowflake role ANALYST

# Determine grants needed for a query
p0 ls snowflake sql "SELECT COUNT(*) FROM orders;"
```

***

#### **SSH** <a href="#ssh" id="ssh"></a>

* **session** \<destination>

  List SSH session instances (target host keys, Bastion details) matching \<destination>.
* **parent** \<parent>

  List all SSH resources that a given parent (user or group) can access.
* **group**

  List SSH access groups. Group is the tag value matching the tag key specificed when install the SSH integration.

**Examples**

```plaintext
# List all SSH groups
p0 ls ssh group

# Show sessions matching "prod-web"
p0 ls ssh session prod-web

# List all instances accessible by group "devs"
p0 ls ssh parent devs
```

***

#### **Google Workspace** <a href="#google-workspace" id="google-workspace"></a>

* **membership** \[groupId]

  List Workspace groups or, if groupId is provided, the members of that group.

**Examples**

```plaintext
# List all Google Workspace groups
p0 ls workspace membership

# List users in a specific Workspace group
p0 ls workspace membership team-marketing@example.com
```

***

### **Output Details** <a href="#output-details" id="output-details"></a>

* **Human mode**
  * Marks items you already have (isPreexisting) with \*.
  * Shows "Showing the first N…" and suggests filters if truncated.
  * Aligns key and value columns; long entries wrap with dimmed metadata.
* **JSON mode**

  Outputs:

```plaintext
{
  "ok": true,
  "items": [
    { "key": "...", "value": "...", "group": "...", "isPreexisting": true },
    …
  ],
  "isTruncated": false,
  "term": "",
  "arg": "<subcommand>"
}
```