Sign up for FreeKnowledge Base

p0 ssh-resolve

Overview

The p0 ssh-resolve command provisions and prepares everything you need for an SSH session to a P0-managed instance. It:

  1. Creates (or reuses) an approved SSH access request

  2. Generates any provider-specific credentials or certificates

  3. Writes a tiny SSH config file under ~/.p0/ssh/configs/<destination>.config

  4. Leaves you ready to run ssh <destination> (with an Include stanza) or specify the generated config via -F

Use p0 ssh-resolve when you want to pre-stage your SSH configuration—ideal for automation, editor integrations, or when you need a clean, repeatable setup.

Prerequisites

  • Logged-in user

  • Your organization must have an SSH integration enabled for AWS, Azure, or GCP.

  • Ensure you have network access to:

    • P0’s API (https://<tenant>/o/<org-slug>/command/)

    • The target instance via your cloud provider’s proxy (SSM, IAP, or Azure tunnel).

Syntax

p0 ssh-resolve <destination>
  [--parent <parent-resource>]
  [--provider <aws|azure|gcloud>]
  [-q|--quiet]
  [--debug]

Parameter

Required

Description

<destination>

Yes

P0’s session alias for your instance (no slashes), e.g. prod-web-01.

--parent <string>

No

The containing resource (account ID, project, subscription) to scope lookups.

--provider <…>

No

Force a specific cloud SSH integration: aws, azure, or gcloud.

-q, --quiet

No

Suppress all output (useful for scripting).

--debug

No

Print extra diagnostic messages during provisioning and file writes.

What Happens Under the Hood

  1. Authentication

    Loads your cached identity (or forces login).

  2. Destination Validation

    Ensures the alias contains no /.

  3. Access Request

    Calls P0’s backend to create or reuse an approved-only SSH session request.

  4. Key/Certificate Generation

    Invokes any provider plugin’s generateKeys to produce a private key (and optional certificate).

    • Defaults to ~/.p0/ssh/id_rsa if no plugin-specific keys are created.

  5. Temporary JSON

    Writes the raw request payload to a safe temporary file (for use by ssh-proxy).

  6. SSH Config Creation

    Constructs and writes:

~/.p0/ssh/configs/<destination>.config

  1. containing:

Host <destination>
  Hostname <destination>
  User <linuxUserName>
  IdentityFile <private-key-path>
  [CertificateFile <certificate-path>]
  PasswordAuthentication no
  ProxyCommand p0 ssh-proxy %h --port %p --provider <provider> \
    --identityFile <private-key-path> --requestJson <temp-json-path>

Tips & Best Practices

  • Include in ~/.ssh/config

    Add at top of your SSH config:

Include ~/.p0/ssh/configs/*.config

  • Then you can ssh prod-web-01 directly.

  • Rotate Easily

    Run p0 ssh-resolve <dest> again to refresh credentials or pick up policy changes.

  • Use %h and %p in custom configs to avoid hard-coding hostnames and ports.

  • Suppress Output

    Use -q in CI/CD pipelines to avoid log clutter.

Previousp0 scpNextTroubleshooting

Last updated