# p0 allow

#### **1. Authentication & Authorization Failures** <a href="#id-1-authentication-and-authorization-failures" id="id-1-authentication-and-authorization-failures"></a>

| **Error Message**                                        | **Cause**                                              | **Resolution**                                                            |
| -------------------------------------------------------- | ------------------------------------------------------ | ------------------------------------------------------------------------- |
| Please run 'p0 login \<organization>' to use the P0 CLI. | You aren’t logged in or your identity file is missing. | Execute `p0 login <ORG ID>` and complete the OIDC flow.                   |
| Could not load credentials for "\<name>"                 | Corrupt or expired credential cache.                   | Remove the cache directory (`rm -rf ~/.p0/cache`) and re-run `p0 login`   |
| Silent hang or immediate exit without output             | Token auto-refresh failed but no explicit error.       | Clear credentials (p0 logout or delete `identity.json`) and log in again. |

***

#### **2. Network & Connectivity Issues** <a href="#id-2-network-and-connectivity-issues" id="id-2-network-and-connectivity-issues"></a>

| **Error Message**                                                                  | **Cause**                                                     | **Resolution**                                                                                                                                                      |
| ---------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Network error: Unable to reach the server at https\://\<tenant>/o/\<org>/command/. | Cannot connect to the P0 API endpoint (DNS, proxy, firewall). | <p>Verify your internet connection and DNS lookup.<br><br>Check appUrl in <code>\~/.p0/config.json</code><br><br>Whitelist the endpoint in your proxy/firewall.</p> |
| fetch failed                                                                       | Underlying fetch call timed out or TLS handshake failed.      | <p>Test reachability with curl <code>https\://\<tenant>/o/\<org>/command/</code><br><br>Ensure your system clock is accurate (TLS requires correct time).</p>       |

***

#### **3. Command Usage & Flag Errors** <a href="#id-3-command-usage-and-flag-errors" id="id-3-command-usage-and-flag-errors"></a>

| **Error Message**                    | **Cause**                       | **Resolution**                                                      |
| ------------------------------------ | ------------------------------- | ------------------------------------------------------------------- |
| Unknown argument: --foo              | Typo or unsupported flag.       | Run p0 allow \<provider> --help to see valid flags and options.     |
| Error: Missing required argument: to | You omitted `--to <principal>`. | Add --to <alice@example.com> (or appropriate identifier).           |
| Invalid date format for '--start'    | Unrecognized timestamp format.  | Use ISO 8601 (2025-05-01T09:00:00Z) or common formats (04/30/2025). |

***

#### **4. Resource & Principal Validation** <a href="#id-4-resource-and-principal-validation" id="id-4-resource-and-principal-validation"></a>

| **Error Message**                     | **Cause**                                                                               | **Resolution**                                                                                                                                                                               |
| ------------------------------------- | --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Invalid principal: \<value>           | The --to value isn't recognized (typo or unregistered user/service).                    | Confirm the principal's email or service-account identifier is correct and exists in your IDP.                                                                                               |
| Resource not found:                   | The provider-specific resource argument doesn't exist (for example, wrong ARN or name). | Validate the resource string (ARN, role name, group name, database name, etc.) in the target system.                                                                                         |
| Permission denied (from provider API) | Your org role lacks rights to grant this permission.                                    | <p>P0 lacks rights to grant this permission in the target system.<br><br>Ensure that the P0 integration is granted permissions that allow it to provision access. Contact your P0 admin.</p> |

***

#### **5. Backend & Server Errors** <a href="#id-5-backend-and-server-errors" id="id-5-backend-and-server-errors"></a>

| **Error Message**                     | **Cause**                                              | **Resolution**                                                                                   |
| ------------------------------------- | ------------------------------------------------------ | ------------------------------------------------------------------------------------------------ |
| 500 Internal Server Error             | P0 backend encountered an unexpected failure.          | Retry after a few minutes; if persistent, contact P0 support with request payload and timestamp. |
| 429 Too Many Requests                 | Rate limits exceeded (too many calls in a short time). | Back off and retry after the window resets; batch your requests more slowly.                     |
| Field "reason" exceeds maximum length | Your --reason text is too long for audit logs.         | Shorten the reason to a concise summary (<200 characters).                                       |

***

1. **Enable debug `--debug`**
2. Prints HTTP request/response details to stderr.
3. **Check local config**

```plaintext
cat ~/.p0/config.json
```

2. Verify appUrl and any proxy settings.
3. **Test API directly**

```plaintext
curl -X POST https://<host>/o/<org>/command/ \
  -H "Authorization: Bearer $(token)" \
  -d '{"argv":["ls","aws","resource",""],"scriptName":"p0"}'
```

4. Examine raw JSON to ensure the backend is returning items.
5. **Validate provider-side state**

   If you expect resources to exist, confirm in the native console or CLI (e.g., aws s3 ls, kubectl get pods, etc.).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/p0-cli/troubleshooting/p0-allow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.