# p0 ssh-resolve

### **Overview** <a href="#overview" id="overview"></a>

The `p0 ssh-resolve` command provisions and prepares everything you need for an SSH session to a P0-managed instance. It:

1. **Creates** (or reuses) an approved SSH access request
2. **Generates** any provider-specific credentials or certificates
3. **Writes** a tiny SSH config file under \~/.p0/ssh/configs/\<destination>.config
4. **Leaves** you ready to run `ssh <destination>` (with an `Include` stanza) or specify the generated config via `-F`

Use `p0 ssh-resolve` when you want to **pre-stage** your SSH configuration—ideal for automation, editor integrations, or when you need a clean, repeatable setup.

***

### **Prerequisites** <a href="#prerequisites" id="prerequisites"></a>

* **Logged-in user**
* Your organization must have an **SSH integration** enabled for AWS, Azure, or GCP.
* Ensure you have network access to:
  * P0's API (https\://\<tenant>/o/\<org-slug>/command/)
  * The target instance via your cloud provider's proxy (SSM, IAP, or Azure tunnel).

***

### **Syntax** <a href="#syntax" id="syntax"></a>

```plaintext
p0 ssh-resolve <destination>
  [--parent <parent-resource>]
  [--provider <aws|azure|gcloud>]
  [-q|--quiet]
  [--debug]
```

| **Parameter**      | **Required** | **Description**                                                               |
| ------------------ | ------------ | ----------------------------------------------------------------------------- |
|                    | Yes          | P0's session alias for your instance (no slashes), for example prod-web-01.   |
| --parent \<string> | No           | The containing resource (account ID, project, subscription) to scope lookups. |
| --provider <…>     | No           | Force a specific cloud SSH integration: aws, azure, or gcloud.                |
| -q, --quiet        | No           | Suppress all output (useful for scripting).                                   |
| --debug            | No           | Print extra diagnostic messages during provisioning and file writes.          |

***

### **What Happens Under the Hood** <a href="#what-happens-under-the-hood" id="what-happens-under-the-hood"></a>

1. **Authentication**

   Loads your cached identity (or forces login).
2. **Destination Validation**

   Ensures the alias contains no /.
3. **Access Request**

   Calls P0's backend to create or reuse an **approved-only** SSH session request.
4. **Key/Certificate Generation**

   Invokes any provider plugin's generateKeys to produce a private key (and optional certificate).

   * Defaults to \~/.p0/ssh/id\_rsa if no plugin-specific keys are created.
5. **Temporary JSON**

   Writes the raw request payload to a safe temporary file (for use by ssh-proxy).
6. **SSH Config Creation**

   Constructs and writes:

```plaintext
~/.p0/ssh/configs/<destination>.config
```

6. containing:

```plaintext
Host <destination>
  Hostname <destination>
  User <linuxUserName>
  IdentityFile <private-key-path>
  [CertificateFile <certificate-path>]
  PasswordAuthentication no
  ProxyCommand p0 ssh-proxy %h --port %p --provider <provider> \
    --identity-file <private-key-path> --request-json <temp-json-path> \
    [--org <org-id>]
```

{% hint style="info" %}
The `--org` flag is included automatically when the `P0_ORG` environment variable is set during `p0 ssh-resolve`. This ensures the SSH proxy authenticates against the correct organization. See [Multi-organization SSH access](https://docs.p0.dev/integrations/resource-integrations/ssh#multi-organization-ssh-access) for setup instructions.
{% endhint %}

***

### **Tips & Best Practices** <a href="#tips-and-best-practices" id="tips-and-best-practices"></a>

* **Include in \~/.ssh/config**

  Add at top of your SSH config:

```plaintext
Include ~/.p0/ssh/configs/*.config
```

* Then you can ssh prod-web-01 directly.
* **Rotate credentials**

  Run `p0 ssh-resolve <dest>` again to refresh credentials or pick up policy changes.
* **Use %h and %p** in custom configs to avoid hard-coding hostnames and ports.
* **Suppress Output**

  Use -q in CI/CD pipelines to avoid log clutter.