Sign up for FreeKnowledge Base

p0 ls

Overview

The p0 ls command lets you discover which resources and arguments you can use with P0’s request (grant/request) and standing-access (allow) workflows. It:

  • Lists valid identifiers (ARNs, role names, group IDs, etc.)

  • Marks items you already have access to with *

  • Supports filtering and paging

  • Outputs either human-readable lists or raw JSON

Use p0 ls to eliminate guesswork when constructing p0 grant or p0 allow commands.

Prerequisites

  • Logged-in user

  • Network access

    Allow HTTPS egress to https://<your-tenant>/o/<org-slug>/command/.

Global Syntax & Flags

p0 ls [integration] [subcommand…] [--size N] [--json]

  • [integration]: example would be aws, azure-ad, gcloud, k8s, okta, pg, snowflake, ssh, workspace and more.

  • [subcommand…]: provider-specific resource filters (see below).

  • --size N: how many items to display (default: 15). Internally fetches 2×N to detect truncation.

  • --json: print the full JSON response and exit.

  • --help: show global or provider-specific help.

Providers & Subcommands

Run p0 ls <provider> --help for the exact list; here’s what each supports:

AWS

  • permission-set <name>

    List AWS IAM Identity Center (SSO) permission sets matching role when using a federated identity.

  • policy <arns…>

    List AWS IAM policies by ARN filter.

  • resource <arn> <policies…>

    List which policies can attach to a given AWS resource ARN.

Examples

# Find permission sets containing "ReadOnly"
p0 ls aws permission-set ReadOnly

# List policies that match the AmazonS3* managed policies
p0 ls aws policy arn:aws:iam::aws:policy/AmazonS3*

# Show attachable policies for a bucket
p0 ls aws resource arn:aws:s3:::my-bucket ReadOnlyAccess

Azure AD (Entra ID)

  • membership [groupId]

    List group memberships; if groupId is supplied, list members of that group.

Examples

# List all groups you could request membership in
p0 ls azure-ad membership

# List members of a specific group
p0 ls azure-ad membership 12345-abcde-67890

Google Cloud (GCP)

  • resource <locator> <accesses…>

    List available accesses (e.g., roles, permissions) for a GCP resource locator (project, folder, etc.).

  • role <name…>

    List IAM roles matching name filters.

  • permission <name…>

    List IAM permissions matching name filters.

Examples

# List predefined roles containing "viewer"
p0 ls gcloud role viewer

# List permissions containing "compute.instances.get"
p0 ls gcloud permission compute.instances.get

# Show which role grants apply to a specific project
p0 ls gcloud resource my-gcp-project roles

Kubernetes

  • resource

    List Kubernetes resource types you can request or allow (e.g., pods, deployments, clusterroles).

Examples

# Show top-level k8s resource types
p0 ls k8s resource

Okta

  • membership [groupId]

    List Okta groups or, if groupId is given, the members of that group.

Examples

# List all Okta groups available to you
p0 ls okta membership

# List members of the "Support" group
p0 ls okta membership 00g1abcd2EFGHijK3l4

PostgreSQL

  • role <roles…>

    List PostgreSQL roles matching provided names.

  • sql <text>

    Infer required permissions by parsing a SQL statement or script.

Examples

# List all database roles that match "read"
p0 ls pg role read

# See which permissions a SQL query would need
p0 ls pg sql "SELECT * FROM users;"

Snowflake

  • role <name>

    List Snowflake roles matching <name>.

  • sql <text>

    Infer required permissions by parsing a SQL statement or script.

Examples

# List Snowflake roles containing "ANALYST"
p0 ls snowflake role ANALYST

# Determine grants needed for a query
p0 ls snowflake sql "SELECT COUNT(*) FROM orders;"

SSH

  • session <destination>

    List SSH session instances (target host keys, bastion details) matching <destination>.

  • parent <parent>

    List all SSH resources that a given parent (user or group) can access.

  • group

    List SSH access groups. Group is the tag value matching the tag key specificed when install the SSH integration.

Examples

# List all SSH groups
p0 ls ssh group

# Show sessions matching "prod-web"
p0 ls ssh session prod-web

# List all instances accessible by group "devs"
p0 ls ssh parent devs

Google Workspace

  • membership [groupId]

    List Workspace groups or, if groupId is provided, the members of that group.

Examples

# List all Google Workspace groups
p0 ls workspace membership

# List users in a specific Workspace group
p0 ls workspace membership [email protected]

Output Details

  • Human mode

    • Marks items you already have (isPreexisting) with *.

    • Shows “Showing the first N…” and suggests filters if truncated.

    • Aligns key and value columns; long entries wrap with dimmed metadata.

  • JSON mode

    Outputs:

{
  "ok": true,
  "items": [
    { "key": "...", "value": "...", "group": "...", "isPreexisting": true },

  ],
  "isTruncated": false,
  "term": "",
  "arg": "<subcommand>"
}
Previousp0 requestNextp0 allow

Last updated