Sign up for FreeKnowledge Base

Troubleshooting

p0 CLI Troubleshooting Overview

A consolidated errors-and-resolutions guide, organized by command. Jump to the section matching the p0 command you’re using.

p0 login

  • Missing Org ID

    • Symptom: “The P0 organization ID is required.”

    • Fix:

      • p0 login my-org-id

      • Or export P0_ORG=my-org-id then p0 login

  • Could not find organization

    • Symptom: Error after SSO completes

    • Fix:

      • Verify exact org slug with your admin

      • Check network access to Firestore (VPN/proxy)

      • unset P0_ORG if pointing at the wrong env var

  • Unsupported login provider

    • Symptom: “Unsupported login for your organization”

    • Fix:

      • Confirm your org’s ssoProvider is one of:

        • google

        • okta

        • ping

        • microsoft

        • cloudflare

      • Contact your admin or [email protected] if you need a new plugin

  • Browser SSO flow won’t open

    • Symptom: “Waiting for authentication…” indefinitely

    • Fix:

      • export BROWSER=path/to/browser

      • Allow pop-ups for your P0 tenant URL

      • On headless servers, use local machine or X-forwarding

  • File permission/write errors

    • Symptom: EACCES: permission denied, open '~/.p0/config.json'

    • Fix:

      mkdir -p ~/.p0
chown $(whoami) ~/.p0 && chmod 700 ~/.p0
p0 login <org>

  • Token expiry / login loop

    • Symptom: Every command asks to login again

    • Fix:

      p0 logout
p0 login my-org-id
# ensure your system clock is accurate

p0 kubeconfig

  • Missing dependencies

    • Symptom: “Required dependencies are missing”

    • Fix:

      • Install AWS CLI v2 + EKS plugin

      • Install kubectl v1.24+ and ensure it’s on $PATH

  • Invalid --role format

    • Symptom: “Invalid format for role argument”

    • Fix:

      • Use one of ClusterRole / name, CuratedRole / name, or Role / ns / name exactly

  • Invalid --resource format

    • Symptom: “Invalid format for resource argument”

    • Fix:

      • Must include spaces: Kind / Namespace / Name or Kind / Name

  • Cluster integration lookup fails

    • Symptom: “Failed to fetch cluster integration”

    • Fix:

      • Ensure cluster is onboarded in P0 Security

      • Confirm network access to the P0 API

      • Run with P0_LOG=debug p0 kubeconfig …

  • AWS credential conflicts

    • Symptom: Temporary profile overridden by env vars

    • Fix:

      unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
p0 kubeconfig …

  • aws eks update-kubeconfig errors

    • Fix:

      • Test manually:

        aws eks update-kubeconfig \
  --name <cluster> --region <region> --profile <generated>

      • Verify cluster exists and profile is valid

  • kubectl config use-context fails

    • Fix:

      kubectl config get-contexts
# Inspect ~/.kube/config for the new context entry

  • ARN parsing errors

    • Symptom: “Invalid EKS cluster ARN”

    • Fix:

      • Ensure the ARN in P0 dashboard matches the format arn:aws:eks:<region>:<account>:cluster/<clusterName>

  • Pending approval / timeouts

    • Symptom: Stuck on “Requesting access…”

    • Fix:

      • Approve in Slack or P0 UI

      • Wait ~30–60 s for propagation, or omit --wait

p0 allow

  • Authentication failures

    • Login errors (see p0 login section)

  • Flag & usage errors

    • Missing --to, --length, or --requested-duration

    • Invalid timestamp in --start

  • Network/API unreachable

    • Check HTTPS egress to api.p0.app

  • Provider validation

    • Using wrong subcommand (e.g. p0 allow aws role vs. resource)

    • Run p0 allow <provider> --help

  • --wait hangs or errors

    • Fix: Omit --wait; check grant status in UI

p0 grant

  • Authentication failures

    • Login errors (see p0 login section)

  • Network/API unreachable

    • Same as p0 allow

  • Flag & usage errors

    • Missing --to or --requested-duration

    • Invalid provider or subcommand syntax

    • Use p0 grant <provider> --help

  • --wait hangs / exits non-zero

    • Code 2 = Denied, Code 1 = Provisioning error

    • Omit --wait and inspect logs

p0 ls

  • Pagination / truncation

    • “Showing the first N…” but you expect more

    • Fix: Increase --size, or add a filter term

  • Invalid filters

    • E.g. p0 ls aws policy xyz

    • Check provider-specific --help

  • JSON mode parse errors

    • Run without --json to verify human output

p0 scp

  • Both sides remote or both local

    • Must specify exactly one host:path

Either the source or the destination, must be a remote location. Remote location is detected by checking for a host:path pattern in the source and destination.

  • Unsupported ports on Azure

    • Azure SSH only supports port 22—remove -P

  • Host resolution errors

    • Verify p0 ls ssh session <dest> returns your host

  • Underlying scp errors

    • Run scp -i /path/to/temp_key src dest (from debug output) to isolate

p0 ssh-resolve

This command is meant to be used in an ~/.ssh/config file but for troubleshooting it can be ran standalone

  • Authentication & config errors

    • Login issues (see p0 login section)

  • Invalid arguments

    • Wrong alias, missing --provider when ambiguous

  • Request JSON/key generation

    • Ensure ~/.p0/ssh/id_rsa exists (run p0 ssh-keygen)

  • Config file not written

    • Verify write permissions on ~/.p0/ssh/configs

  • SSH fails after resolve

    • Inspect the generated config and run ssh -F <file> <alias> -vvv

Gathering Diagnostics

  1. SSH trace

    ssh -vvv <alias> 2>&1 | tee ssh-debug.log

  2. Collect files

    • ~/.p0/config.json

    • ~/.p0/identity.json

    • Generated keys/JSON under ~/.p0/ssh/

    • Provider CLI versions (aws --version, gcloud --version, etc.)

  3. Support Send logs, command lines, and environment details to [email protected] or post in your org’s #p0-help Slack.

Previousp0 ssh-resolveNextp0 login

Last updated