# Troubleshooting ## p0 CLI Troubleshooting Overview A consolidated errors-and-resolutions guide, organized by command. Jump to the section matching the p0 command you’re using. *** ### [p0 login](/p0-cli/troubleshooting/p0-login.md) * **Missing Org ID** * **Symptom:** “The P0 organization ID is required.” * **Fix:** * `p0 login my-org-id` * Or `export P0_ORG=my-org-id` then `p0 login` * **Could not find organization** * **Symptom:** Error after SSO completes * **Fix:** * Verify exact org slug with your admin * Check network access to Firestore (VPN/proxy) * `unset P0_ORG` if pointing at the wrong env var * **Unsupported login provider** * **Symptom:** “Unsupported login for your organization” * **Fix:** * Confirm your org’s `ssoProvider` is one of: * `google` * `okta` * `ping` * `microsoft` * `cloudflare` * Contact your admin or `support@p0.dev` if you need a new plugin * **Browser SSO flow won’t open** * **Symptom:** “Waiting for authentication…” indefinitely * **Fix:** * `export BROWSER=path/to/browser` * Allow pop-ups for your P0 tenant URL * On headless servers, use local machine or X-forwarding * **File permission/write errors** * **Symptom:** `EACCES: permission denied, open '~/.p0/config.json'` * **Fix:** ```bash mkdir -p ~/.p0 chown $(whoami) ~/.p0 && chmod 700 ~/.p0 p0 login ``` * **Token expiry / login loop** * **Symptom:** Every command asks to login again * **Fix:** ```bash p0 logout p0 login my-org-id # ensure your system clock is accurate ``` *** ### [p0 kubeconfig](#p0-kubeconfig) * **Missing dependencies** * **Symptom:** “Required dependencies are missing” * **Fix:** * Install AWS CLI v2 + EKS plugin * Install `kubectl` v1.24+ and ensure it’s on `$PATH` * **Invalid `--role` format** * **Symptom:** “Invalid format for role argument” * **Fix:** * Use one of `ClusterRole / name`, `CuratedRole / name`, or `Role / ns / name` exactly * **Invalid `--resource` format** * **Symptom:** “Invalid format for resource argument” * **Fix:** * Must include spaces: `Kind / Namespace / Name` or `Kind / Name` * **Cluster integration lookup fails** * **Symptom:** “Failed to fetch cluster integration” * **Fix:** * Ensure cluster is onboarded in P0 Security * Confirm network access to the P0 API * Run with `P0_LOG=debug p0 kubeconfig …` * **AWS credential conflicts** * **Symptom:** Temporary profile overridden by env vars * **Fix:** ```bash unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY p0 kubeconfig … ``` * **`aws eks update-kubeconfig` errors** * **Fix:** * Test manually: ```bash aws eks update-kubeconfig \ --name --region --profile ``` * Verify cluster exists and profile is valid * **`kubectl config use-context` fails** * **Fix:** ```bash kubectl config get-contexts # Inspect ~/.kube/config for the new context entry ``` * **ARN parsing errors** * **Symptom:** “Invalid EKS cluster ARN” * **Fix:** * Ensure the ARN in P0 dashboard matches the format\ `arn:aws:eks:::cluster/` * **Pending approval / timeouts** * **Symptom:** Stuck on “Requesting access…” * **Fix:** * Approve in Slack or P0 UI * Wait \~30–60 s for propagation, or omit `--wait` *** ### [p0 allow](/p0-cli/troubleshooting/p0-allow.md) * **Authentication failures** * Login errors (see **p0 login** section) * **Flag & usage errors** * Missing `--to`, `--length`, or `--requested-duration` * Invalid timestamp in `--start` * **Network/API unreachable** * Check HTTPS egress to api.p0.app * **Provider validation** * Using wrong subcommand (e.g. `p0 allow aws role` vs. `resource`) * Run `p0 allow --help` * **`--wait` hangs or errors** * **Fix:** Omit `--wait`; check grant status in UI *** ### [p0 grant](#p0-grant) * **Authentication failures** * Login errors (see **p0 login** section) * **Network/API unreachable** * Same as **p0 allow** * **Flag & usage errors** * Missing `--to` or `--requested-duration` * Invalid provider or subcommand syntax * Use `p0 grant --help` * **`--wait` hangs / exits non-zero** * Code `2` = Denied, Code `1` = Provisioning error * Omit `--wait` and inspect logs *** ### [p0 ls](#p0-ls) * **Pagination / truncation** * “Showing the first N…” but you expect more * **Fix:** Increase `--size`, or add a filter term * **Invalid filters** * E.g. `p0 ls aws policy xyz` * Check provider-specific `--help` * **JSON mode parse errors** * Run without `--json` to verify human output *** ### [p0 scp](#p0-scp) * **Both sides remote or both local** * Must specify exactly one `host:path` {% hint style="info" %} Either the source or the destination, must be a remote location. Remote location is detected by checking for a host:path pattern in the source and destination. {% endhint %} * **Unsupported ports on Azure** * Azure SSH only supports port 22—remove `-P` * **Host resolution errors** * Verify `p0 ls ssh session ` returns your host * **Underlying scp errors** * Run `scp -i /path/to/temp_key src dest` (from debug output) to isolate *** ### [p0 ssh-resolve](#p0-ssh-resolve) {% hint style="info" %} This command is meant to be used in an `~/.ssh/config` file but for troubleshooting it can be ran standalone {% endhint %} * **Authentication & config errors** * Login issues (see **p0 login** section) * **Invalid arguments** * Wrong alias, missing `--provider` when ambiguous * **Request JSON/key generation** * Ensure `~/.p0/ssh/id_rsa` exists (run `p0 ssh-keygen`) * **Config file not written** * Verify write permissions on `~/.p0/ssh/configs` * **SSH fails after resolve** * Inspect the generated config and run `ssh -F -vvv` *** ### Gathering Diagnostics 1. **SSH trace** ```bash ssh -vvv 2>&1 | tee ssh-debug.log ``` 2. **Collect files** * `~/.p0/config.json` * `~/.p0/identity.json` * Generated keys/JSON under `~/.p0/ssh/` * Provider CLI versions (`aws --version`, `gcloud --version`, etc.) 3. **Support**\ Send logs, command lines, and environment details to [**support@p0.dev**](mailto:support@p0.dev) or post in your org’s **#p0-help** Slack. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.p0.dev/p0-cli/troubleshooting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.