# p0 request

### Overview

* Manually request just-in-time access to resources across AWS, Azure AD, GCP, Okta, SSH, and Google Workspace.
* Create a time-boxed access request instead of granting standing permissions.
* Send the request for approval and, once approved, automatically provision permissions for your specified duration.
* Apply your organization’s guardrails, including auto-revocation at expiry.
* Generate a complete audit trail showing who requested what, when, and why.
* Attach a reason for audit logging and approval context.
* Optionally block (`--wait`) until provisioning completes, then execute the underlying command (e.g., `aws`, `gcloud`, `ssh`).
* Integrate with Slack (or your configured notification channel) for approval workflows and notifications.
* Enforce your organization’s TTL policy and auto-revoke rights at expiry.

### Prerequisites

* **Logged-in user**
* **Network access**: allow HTTPS to `https://api.p0.app/o/<org-slug>/command/`.

### Syntax

```
p0 request <provider> <subcommand> [resource-args…]
    [--reason <text>]
    [-w | --wait]
```

* `<provider>`
  * `aws`
  * `azure-ad`
  * `gcloud`
  * `okta`
  * `ssh`
  * `workspace`
* `<subcommand>` & resource-args
  * Provider-specific; run `p0 request <provider> --help` for details.
* `--reason <text>`
  * Justification for audit and approver context.
* `-w, --wait`
  * Block until access is provisioned and then execute the underlying tooling command.

### Global Flags

* `--help`
  * Show help for any command.
* `--reason <text>`
  * Provide a justification string.
* `-w, --wait`
  * Wait for provisioning before returning.

### Supported Providers

* **AWS**
  * `p0 request aws role <role-name>`
  * `p0 request aws resource <ARN>`
* **Azure AD**
  * `p0 request azure-ad user <UPN>`
  * `p0 request azure-ad group <group-name>`
* **GCP**
  * `p0 request gcloud role <role-name>`
  * `p0 request gcloud resource <resource-path>`
  * `p0 request gcloud permission <permission-name>` ([GitHub](https://raw.githubusercontent.com/p0-security/p0cli/main/README.md))
* **Okta**
  * `p0 request okta group <group-name>`
* **SSH**
  * `p0 request ssh destination <instance-id>`
* **Workspace**
  * `p0 request workspace drive <file-id>`
  * `p0 request workspace group <group-email>`

### Examples

1. **AWS IAM Role**

   ```bash
   p0 request aws role MyReadOnlyRole \
     --account 123456789012 \
     --reason "Investigating S3 access issues" \
     --wait
   ```

   Outcome: Requests the `MyReadOnlyRole` role in account `123456789012`; blocks until provisioned, then you can run AWS commands under that role.
2. **GCP Viewer Role**

   ```bash
   p0 request gcloud role roles/viewer \
     --project my-gcp-project \
     --reason "Ad-hoc data audit" \
     --wait
   ```

   Outcome: Creates a GCP IAM request for the \`roles/view