p0 allow
1. Authentication & Authorization Failures
Error Message
Cause
Resolution
Please run 'p0 login <organization>' to use the P0 CLI.
You aren’t logged in or your identity file is missing.
Execute p0 login <ORG ID> and complete the OIDC flow.
Could not load credentials for "<name>"
Corrupt or expired credential cache.
Remove the cache directory (rm -rf ~/.p0/cache) and re-run p0 login
Silent hang or immediate exit without output
Token auto-refresh failed but no explicit error.
Clear credentials (p0 logout or delete identity.json) and log in again.
2. Network & Connectivity Issues
Error Message
Cause
Resolution
Network error: Unable to reach the server at https://<tenant>/o/<org>/command/.
Cannot connect to the P0 API endpoint (DNS, proxy, firewall).
Verify your internet connection and DNS lookup.
Check appUrl in ~/.p0/config.json
Whitelist the endpoint in your proxy/firewall.
fetch failed
Underlying fetch call timed out or TLS handshake failed.
Test reachability with curl https://<tenant>/o/<org>/command/
Ensure your system clock is accurate (TLS requires correct time).
3. Command Usage & Flag Errors
Error Message
Cause
Resolution
Unknown argument: --foo
Typo or unsupported flag.
Run p0 allow <provider> --help to see valid flags and options.
Error: Missing required argument: to
You omitted --to <principal>.
Add --to [email protected] (or appropriate identifier).
Error: Missing required argument: requested-duration
You omitted --requested-duration.
Specify --requested-duration "4 hours" (or other valid duration).
Invalid date format for '--start'
Unrecognized timestamp format.
Use ISO 8601 (2025-05-01T09:00:00Z) or common formats (04/30/2025).
Invalid duration format
--requested-duration couldn’t parse your string.
Use human-friendly durations: 10 minutes, 2 hours, 5 days, 1 week, or 1 month.
4. Resource & Principal Validation
Error Message
Cause
Resolution
Invalid principal: <value>
The --to value isn’t recognized (typo or unregistered user/service).
Confirm the principal’s email or service-account identifier is correct and exists in your IDP.
Resource not found: <resource>
The provider-specific resource argument doesn’t exist (e.g. wrong ARN or name).
Validate the resource string (ARN, role name, group name, database name, etc.) in the target system.
Permission denied (from provider API)
Your org role lacks rights to grant this permission.
P0 lacks rights to grant this permission in the target system. Ensure that the P0 integration is granted permissions that allow it to provision access. Contact your P0 admin.
5. Backend & Server Errors
Error Message
Cause
Resolution
500 Internal Server Error
P0 backend encountered an unexpected failure.
Retry after a few minutes; if persistent, contact P0 support with request payload and timestamp.
429 Too Many Requests
Rate limits exceeded (too many calls in a short time).
Back off and retry after the window resets; batch your requests more slowly.
Field “reason” exceeds maximum length
Your --reason text is too long for audit logs.
Shorten the reason to a concise summary (<200 characters).
6. Debugging Tips
Enable debug
--debugPrints HTTP request/response details to stderr.
Check local config
cat ~/.p0/config.jsonVerify appUrl and any proxy settings.
Test API directly
curl -X POST https://<host>/o/<org>/command/ \
-H "Authorization: Bearer $(token)" \
-d '{"argv":["ls","aws","resource",""],"scriptName":"p0"}'Examine raw JSON to ensure the backend is returning items.
Validate provider-side state
If you expect resources to exist, confirm in the native console or CLI (e.g., aws s3 ls, kubectl get pods, etc.).
Last updated