# p0 allow

#### **1. Authentication & Authorization Failures** <a href="#id-1-authentication-and-authorization-failures" id="id-1-authentication-and-authorization-failures"></a>

| **Error Message**                                        | **Cause**                                              | **Resolution**                                                            |
| -------------------------------------------------------- | ------------------------------------------------------ | ------------------------------------------------------------------------- |
| Please run 'p0 login \<organization>' to use the P0 CLI. | You aren’t logged in or your identity file is missing. | Execute `p0 login <ORG ID>` and complete the OIDC flow.                   |
| Could not load credentials for "\<name>"                 | Corrupt or expired credential cache.                   | Remove the cache directory (`rm -rf ~/.p0/cache`) and re-run `p0 login`   |
| Silent hang or immediate exit without output             | Token auto-refresh failed but no explicit error.       | Clear credentials (p0 logout or delete `identity.json`) and log in again. |

***

#### **2. Network & Connectivity Issues** <a href="#id-2-network-and-connectivity-issues" id="id-2-network-and-connectivity-issues"></a>

| **Error Message**                                                                  | **Cause**                                                     | **Resolution**                                                                                                                                                      |
| ---------------------------------------------------------------------------------- | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Network error: Unable to reach the server at https\://\<tenant>/o/\<org>/command/. | Cannot connect to the P0 API endpoint (DNS, proxy, firewall). | <p>Verify your internet connection and DNS lookup.<br><br>Check appUrl in <code>\~/.p0/config.json</code><br><br>Whitelist the endpoint in your proxy/firewall.</p> |
| fetch failed                                                                       | Underlying fetch call timed out or TLS handshake failed.      | <p>Test reachability with curl <code>https\://\<tenant>/o/\<org>/command/</code><br><br>Ensure your system clock is accurate (TLS requires correct time).</p>       |

***

#### **3. Command Usage & Flag Errors** <a href="#id-3-command-usage-and-flag-errors" id="id-3-command-usage-and-flag-errors"></a>

| **Error Message**                    | **Cause**                       | **Resolution**                                                      |
| ------------------------------------ | ------------------------------- | ------------------------------------------------------------------- |
| Unknown argument: --foo              | Typo or unsupported flag.       | Run p0 allow \<provider> --help to see valid flags and options.     |
| Error: Missing required argument: to | You omitted `--to <principal>`. | Add --to <alice@example.com> (or appropriate identifier).           |
| Invalid date format for '--start'    | Unrecognized timestamp format.  | Use ISO 8601 (2025-05-01T09:00:00Z) or common formats (04/30/2025). |

***

#### **4. Resource & Principal Validation** <a href="#id-4-resource-and-principal-validation" id="id-4-resource-and-principal-validation"></a>

| **Error Message**                     | **Cause**                                                                               | **Resolution**                                                                                                                                                                               |
| ------------------------------------- | --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Invalid principal: \<value>           | The --to value isn't recognized (typo or unregistered user/service).                    | Confirm the principal's email or service-account identifier is correct and exists in your IDP.                                                                                               |
| Resource not found:                   | The provider-specific resource argument doesn't exist (for example, wrong ARN or name). | Validate the resource string (ARN, role name, group name, database name, etc.) in the target system.                                                                                         |
| Permission denied (from provider API) | Your org role lacks rights to grant this permission.                                    | <p>P0 lacks rights to grant this permission in the target system.<br><br>Ensure that the P0 integration is granted permissions that allow it to provision access. Contact your P0 admin.</p> |

***

#### **5. Backend & Server Errors** <a href="#id-5-backend-and-server-errors" id="id-5-backend-and-server-errors"></a>

| **Error Message**                     | **Cause**                                              | **Resolution**                                                                                   |
| ------------------------------------- | ------------------------------------------------------ | ------------------------------------------------------------------------------------------------ |
| 500 Internal Server Error             | P0 backend encountered an unexpected failure.          | Retry after a few minutes; if persistent, contact P0 support with request payload and timestamp. |
| 429 Too Many Requests                 | Rate limits exceeded (too many calls in a short time). | Back off and retry after the window resets; batch your requests more slowly.                     |
| Field "reason" exceeds maximum length | Your --reason text is too long for audit logs.         | Shorten the reason to a concise summary (<200 characters).                                       |

***

1. **Enable debug `--debug`**
2. Prints HTTP request/response details to stderr.
3. **Check local config**

```plaintext
cat ~/.p0/config.json
```

2. Verify appUrl and any proxy settings.
3. **Test API directly**

```plaintext
curl -X POST https://<host>/o/<org>/command/ \
  -H "Authorization: Bearer $(token)" \
  -d '{"argv":["ls","aws","resource",""],"scriptName":"p0"}'
```

4. Examine raw JSON to ensure the backend is returning items.
5. **Validate provider-side state**

   If you expect resources to exist, confirm in the native console or CLI (e.g., aws s3 ls, kubectl get pods, etc.).