# p0 ssh-resolve

### **Overview** <a href="#overview" id="overview"></a>

The `p0 ssh-resolve` command provisions and prepares everything you need for an SSH session to a P0-managed instance. It:

1. **Creates** (or reuses) an approved SSH access request
2. **Generates** any provider-specific credentials or certificates
3. **Writes** a tiny SSH config file under \~/.p0/ssh/configs/\<destination>.config
4. **Leaves** you ready to run `ssh <destination>` (with an `Include` stanza) or specify the generated config via `-F`

Use `p0 ssh-resolve` when you want to **pre-stage** your SSH configuration—ideal for automation, editor integrations, or when you need a clean, repeatable setup.

***

### **Prerequisites** <a href="#prerequisites" id="prerequisites"></a>

* **Logged-in user**
* Your organization must have an **SSH integration** enabled for AWS, Azure, or GCP.
* Ensure you have network access to:
  * P0's API (https\://\<tenant>/o/\<org-slug>/command/)
  * The target instance via your cloud provider's proxy (SSM, IAP, or Azure tunnel).

***

### **Syntax** <a href="#syntax" id="syntax"></a>

```plaintext
p0 ssh-resolve <destination>
  [--parent <parent-resource>]
  [--provider <aws|azure|gcloud>]
  [-q|--quiet]
  [--debug]
```

| **Parameter**      | **Required** | **Description**                                                               |
| ------------------ | ------------ | ----------------------------------------------------------------------------- |
|                    | Yes          | P0's session alias for your instance (no slashes), for example prod-web-01.   |
| --parent \<string> | No           | The containing resource (account ID, project, subscription) to scope lookups. |
| --provider <…>     | No           | Force a specific cloud SSH integration: aws, azure, or gcloud.                |
| -q, --quiet        | No           | Suppress all output (useful for scripting).                                   |
| --debug            | No           | Print extra diagnostic messages during provisioning and file writes.          |

***

### **What Happens Under the Hood** <a href="#what-happens-under-the-hood" id="what-happens-under-the-hood"></a>

1. **Authentication**

   Loads your cached identity (or forces login).
2. **Destination Validation**

   Ensures the alias contains no /.
3. **Access Request**

   Calls P0's backend to create or reuse an **approved-only** SSH session request.
4. **Key/Certificate Generation**

   Invokes any provider plugin's generateKeys to produce a private key (and optional certificate).

   * Defaults to \~/.p0/ssh/id\_rsa if no plugin-specific keys are created.
5. **Temporary JSON**

   Writes the raw request payload to a safe temporary file (for use by ssh-proxy).
6. **SSH Config Creation**

   Constructs and writes:

```plaintext
~/.p0/ssh/configs/<destination>.config
```

6. containing:

```plaintext
Host <destination>
  Hostname <destination>
  User <linuxUserName>
  IdentityFile <private-key-path>
  [CertificateFile <certificate-path>]
  PasswordAuthentication no
  ProxyCommand p0 ssh-proxy %h --port %p --provider <provider> \
    --identity-file <private-key-path> --request-json <temp-json-path> \
    [--org <org-id>]
```

{% hint style="info" %}
The `--org` flag is included automatically when the `P0_ORG` environment variable is set during `p0 ssh-resolve`. This ensures the SSH proxy authenticates against the correct organization. See [Multi-organization SSH access](/integrations/resource-integrations/ssh.md#multi-organization-ssh-access) for setup instructions.
{% endhint %}

***

### **Tips & Best Practices** <a href="#tips-and-best-practices" id="tips-and-best-practices"></a>

* **Include in \~/.ssh/config**

  Add at top of your SSH config:

```plaintext
Include ~/.p0/ssh/configs/*.config
```

* Then you can ssh prod-web-01 directly.
* **Rotate credentials**

  Run `p0 ssh-resolve <dest>` again to refresh credentials or pick up policy changes.
* **Use %h and %p** in custom configs to avoid hard-coding hostnames and ports.
* **Suppress Output**

  Use -q in CI/CD pipelines to avoid log clutter.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ssh-resolve.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.