> For the complete documentation index, see [llms.txt](https://docs.p0.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ssh-resolve.md).

# p0 ssh-resolve

### **Overview** <a href="#overview" id="overview"></a>

The `p0 ssh-resolve` command provisions and prepares everything you need for an SSH session to a P0-managed instance. It:

1. **Creates** (or reuses) an approved SSH access request
2. **Generates** any provider-specific credentials or certificates
3. **Writes** a tiny SSH config file under \~/.p0/ssh/configs/\<destination>.config
4. **Leaves** you ready to run `ssh <destination>` (with an `Include` stanza) or specify the generated config via `-F`

Use `p0 ssh-resolve` when you want to **pre-stage** your SSH configuration—ideal for automation, editor integrations, or when you need a clean, repeatable setup.

***

### **Prerequisites** <a href="#prerequisites" id="prerequisites"></a>

* **Logged-in user**
* Your organization must have an **SSH integration** enabled for AWS, Azure, or GCP.
* Ensure you have network access to:
  * P0's API (https\://\<tenant>/o/\<org-slug>/command/)
  * The target instance via your cloud provider's proxy (SSM, IAP, or Azure tunnel).

***

### **Syntax** <a href="#syntax" id="syntax"></a>

```plaintext
p0 ssh-resolve <destination>
  [--parent <parent-resource>]
  [--provider <aws|azure|gcloud|self-hosted>]
  [-q|--quiet]
  [--debug]
```

| **Parameter**      | **Required** | **Description**                                                               |
| ------------------ | ------------ | ----------------------------------------------------------------------------- |
|                    | Yes          | P0's session alias for your instance (no slashes), for example prod-web-01.   |
| --parent \<string> | No           | The containing resource (account ID, project, subscription) to scope lookups. |
| --provider <…>     | No           | Force a specific cloud SSH integration: aws, azure, gcloud, or self-hosted.   |
| -q, --quiet        | No           | Suppress all output (useful for scripting).                                   |
| --debug            | No           | Print extra diagnostic messages during provisioning and file writes.          |

***

### **What Happens Under the Hood** <a href="#what-happens-under-the-hood" id="what-happens-under-the-hood"></a>

1. **Authentication**

   Loads your cached identity (or forces login).
2. **Destination Validation**

   Ensures the alias contains no /.
3. **Access Request**

   Calls P0's backend to create or reuse an **approved-only** SSH session request.
4. **Key/Certificate Generation**

   Invokes any provider plugin's generateKeys to produce a private key (and optional certificate).

   * Defaults to \~/.p0/ssh/id\_rsa if no plugin-specific keys are created.
5. **Temporary JSON**

   Writes the raw request payload to a safe temporary file (for use by ssh-proxy).
6. **SSH Config Creation**

   Constructs and writes:

```plaintext
~/.p0/ssh/configs/<destination>.config
```

6. containing:

```plaintext
Host <destination>
  Hostname <destination>
  User <linuxUserName>
  IdentityFile <private-key-path>
  [CertificateFile <certificate-path>]
  PasswordAuthentication no
  ProxyCommand p0 ssh-proxy %h --port %p --provider <provider> \
    --identity-file <private-key-path> --request-json <temp-json-path> \
    [--org <org-id>]
```

{% hint style="info" %}
The `--org` flag is included automatically when the `P0_ORG` environment variable is set during `p0 ssh-resolve`. This ensures the SSH proxy authenticates against the correct organization. See [Multi-organization SSH access](/integrations/resource-integrations/ssh.md#multi-organization-ssh-access) for setup instructions.
{% endhint %}

***

### **Tips & Best Practices** <a href="#tips-and-best-practices" id="tips-and-best-practices"></a>

* **Include in \~/.ssh/config**

  Add at top of your SSH config:

```plaintext
Include ~/.p0/ssh/configs/*.config
```

* Then you can ssh prod-web-01 directly.
* **Rotate credentials**

  Run `p0 ssh-resolve <dest>` again to refresh credentials or pick up policy changes.
* **Use %h and %p** in custom configs to avoid hard-coding hostnames and ports.
* **Suppress Output**

  Use -q in CI/CD pipelines to avoid log clutter.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.p0.dev/p0-cli/p0-commands-and-usage/p0-ssh-resolve.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.