# Troubleshooting ## p0 CLI Troubleshooting Overview A consolidated errors-and-resolutions guide, organized by command. Jump to the section matching the p0 command you’re using. *** ### [p0 login](https://docs.p0.dev/p0-cli/troubleshooting/p0-login) * **Missing Org ID** * **Symptom:** “The P0 organization ID is required.” * **Fix:** * `p0 login my-org-id` * Or `export P0_ORG=my-org-id` then `p0 login` * **Could not find organization** * **Symptom:** Error after SSO completes * **Fix:** * Verify exact org slug with your admin * Check network access to Firestore (VPN/proxy) * `unset P0_ORG` if pointing at the wrong env var * **Unsupported login provider** * **Symptom:** “Unsupported login for your organization” * **Fix:** * Confirm your org’s `ssoProvider` is one of: * `google` * `okta` * `ping` * `microsoft` * `cloudflare` * Contact your admin or `support@p0.dev` if you need a new plugin * **Browser SSO flow won’t open** * **Symptom:** “Waiting for authentication…” indefinitely * **Fix:** * `export BROWSER=path/to/browser` * Allow pop-ups for your P0 tenant URL * On headless servers, use local machine or X-forwarding * **File permission/write errors** * **Symptom:** `EACCES: permission denied, open '~/.p0/config.json'` * **Fix:** ```bash mkdir -p ~/.p0 chown $(whoami) ~/.p0 && chmod 700 ~/.p0 p0 login ``` * **Token expiry / login loop** * **Symptom:** Every command asks to login again * **Fix:** ```bash p0 logout p0 login my-org-id # ensure your system clock is accurate ``` *** ### [p0 kubeconfig](#p0-kubeconfig) * **Missing dependencies** * **Symptom:** “Required dependencies are missing” * **Fix:** * Install AWS CLI v2 + EKS plugin * Install `kubectl` v1.24+ and ensure it’s on `$PATH` * **Invalid `--role` format** * **Symptom:** “Invalid format for role argument” * **Fix:** * Use one of `ClusterRole / name`, `CuratedRole / name`, or `Role / ns / name` exactly * **Invalid `--resource` format** * **Symptom:** “Invalid format for resource argument” * **Fix:** * Must include spaces: `Kind / Namespace / Name` or `Kind / Name` * **Cluster integration lookup fails** * **Symptom:** “Failed to fetch cluster integration” * **Fix:** * Ensure cluster is onboarded in P0 Security * Confirm network access to the P0 API * Run with `P0_LOG=debug p0 kubeconfig …` * **AWS credential conflicts** * **Symptom:** Temporary profile overridden by env vars * **Fix:** ```bash unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY p0 kubeconfig … ``` * **`aws eks update-kubeconfig` errors** * **Fix:** * Test manually: ```bash aws eks update-kubeconfig \ --name --region --profile ``` * Verify cluster exists and profile is valid * **`kubectl config use-context` fails** * **Fix:** ```bash kubectl config get-contexts # Inspect ~/.kube/config for the new context entry ``` * **ARN parsing errors** * **Symptom:** “Invalid EKS cluster ARN” * **Fix:** * Ensure the ARN in P0 dashboard matches the format\ `arn:aws:eks:::cluster/` * **Pending approval / timeouts** * **Symptom:** Stuck on “Requesting access…” * **Fix:** * Approve in Slack or P0 UI * Wait \~30–60 s for propagation, or omit `--wait` *** ### [p0 allow](https://docs.p0.dev/p0-cli/troubleshooting/p0-allow) * **Authentication failures** * Login errors (see **p0 login** section) * **Flag & usage errors** * Missing `--to`, `--length`, or `--requested-duration` * Invalid timestamp in `--start` * **Network/API unreachable** * Check HTTPS egress to api.p0.app * **Provider validation** * Using wrong subcommand (e.g. `p0 allow aws role` vs. `resource`) * Run `p0 allow --help` * **`--wait` hangs or errors** * **Fix:** Omit `--wait`; check grant status in UI *** ### [p0 grant](#p0-grant) * **Authentication failures** * Login errors (see **p0 login** section) * **Network/API unreachable** * Same as **p0 allow** * **Flag & usage errors** * Missing `--to` or `--requested-duration` * Invalid provider or subcommand syntax * Use `p0 grant --help` * **`--wait` hangs / exits non-zero** * Code `2` = Denied, Code `1` = Provisioning error * Omit `--wait` and inspect logs *** ### [p0 ls](#p0-ls) * **Pagination / truncation** * “Showing the first N…” but you expect more * **Fix:** Increase `--size`, or add a filter term * **Invalid filters** * E.g. `p0 ls aws policy xyz` * Check provider-specific `--help` * **JSON mode parse errors** * Run without `--json` to verify human output *** ### [p0 scp](#p0-scp) * **Both sides remote or both local** * Must specify exactly one `host:path` {% hint style="info" %} Either the source or the destination, must be a remote location. Remote location is detected by checking for a host:path pattern in the source and destination. {% endhint %} * **Unsupported ports on Azure** * Azure SSH only supports port 22—remove `-P` * **Host resolution errors** * Verify `p0 ls ssh session ` returns your host * **Underlying scp errors** * Run `scp -i /path/to/temp_key src dest` (from debug output) to isolate *** ### [p0 ssh-resolve](#p0-ssh-resolve) {% hint style="info" %} This command is meant to be used in an `~/.ssh/config` file but for troubleshooting it can be ran standalone {% endhint %} * **Authentication & config errors** * Login issues (see **p0 login** section) * **Invalid arguments** * Wrong alias, missing `--provider` when ambiguous * **Request JSON/key generation** * Ensure `~/.p0/ssh/id_rsa` exists (run `p0 ssh-keygen`) * **Config file not written** * Verify write permissions on `~/.p0/ssh/configs` * **SSH fails after resolve** * Inspect the generated config and run `ssh -F -vvv` *** ### Gathering Diagnostics 1. **SSH trace** ```bash ssh -vvv 2>&1 | tee ssh-debug.log ``` 2. **Collect files** * `~/.p0/config.json` * `~/.p0/identity.json` * Generated keys/JSON under `~/.p0/ssh/` * Provider CLI versions (`aws --version`, `gcloud --version`, etc.) 3. **Support**\ Send logs, command lines, and environment details to [**support@p0.dev**](mailto:support@p0.dev) or post in your org’s **#p0-help** Slack.