# p0 aws permission-set assume This troubleshooting guide for `p0 aws permission-set assume` is organized into common issue categories. Each section uses a table to show symptoms, causes, and resolutions. *** ### 1. Authentication & session failures | Symptom | Cause | Resolution | | -------------------------------------------------- | ---------------------------------------------------------- | --------------------------------------------------------------------- | | Browser opens but authentication fails | AWS Identity Center session expired or user not authorized | Log in to AWS Identity Center in your browser, then retry the command | | Device authorization times out | User did not complete browser authentication in time | Retry the command and complete the browser authentication promptly | | `Timed out fetching AWS credentials. Try again...` | Delay between token issuance and availability for exchange | Retry the command; if issue persists, contact | *** ### 2. Permission set availability errors | Symptom | Cause | Resolution | | --------------------------------------------- | --------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | | Permission set not found or access denied | The requested permission set is not assigned to your user | Request access to the permission set first with `p0 request aws permission-set `, or contact your administrator | | Access denied after successful authentication | Permission set exists but user lacks assignment | Contact your AWS Identity Center administrator to assign the permission set | *** ### 3. Account configuration errors | Symptom | Cause | Resolution | | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `Unexpected login type. Expected IDC to be enabled for account {account}` | AWS account uses Okta SAML federation instead of Identity Center | The `permission-set` subcommand is only available for Identity Center accounts. Run `p0 aws --help` to see the correct subcommand (`role`) for your account. | | `P0 is not installed on any AWS account` | No AWS accounts have the P0 integration installed | Ask your P0 administrator to install the AWS integration on your account | | `P0 is not installed on AWS account {account}` | The specified account ID or alias does not exist in P0 | Verify the account ID with `p0 ls aws account` or check with your administrator | | `Please select a unique AWS account with --account; valid accounts are: ...` | Multiple AWS accounts are configured and none was specified | Add `--account ` to specify which account, or set `P0_AWS_ACCOUNT` environment variable | | `Could not find an AWS account ID for this access request` | Account ID not resolved during credential exchange | Specify the account explicitly with `--account ` | *** ### 4. Request approval issues | Symptom | Cause | Resolution | | ------------------------------------------------- | ------------------------------------------ | ---------------------------------------------------------------------------------------------------- | | `Your request was denied` | An approver denied the P0 access request | Check your Slack/notification channel for denial reason; adjust your request or contact the approver | | `Your request encountered an error` | P0 request processing failed | Check P0 dashboard for request details; contact P0 support if the issue persists | | `Your request did not complete within 5 minutes.` | Request approval or provisioning timed out | Check notification channel for approval status; approvers may not have seen the request | *** ### 5. Network & connectivity issues | Symptom | Cause | Resolution | | --------------------------------------------- | ---------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | `connect ECONNREFUSED` to AWS or P0 endpoints | Outbound HTTPS is blocked by firewall or proxy | Allow HTTPS to AWS OIDC endpoints (`oidc.{region}.amazonaws.com`), AWS SSO portal (`portal.sso.{region}.amazonaws.com`), and `api.p0.app` | | `getaddrinfo ENOTFOUND` | DNS resolution failure | Verify DNS can resolve AWS endpoints and P0 API endpoint | | Command hangs during authentication | Browser-based login is required but can't open | Ensure a browser is available; check if running in a headless environment | *** ### 6. Credential issues | Symptom | Cause | Resolution | | ----------------------------------------------------- | ------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | | AWS commands fail with `ExpiredToken` | Session credentials have expired (1 hour lifetime) | Re-run `p0 aws permission-set assume` to obtain fresh credentials | | Credentials work in one terminal but not another | Environment variables not set in the other terminal | Run the `$(p0 aws permission-set assume ...)` command in each terminal session | | `AWS_SECURITY_TOKEN` vs `AWS_SESSION_TOKEN` confusion | Both are set for compatibility; some older tools use `AWS_SECURITY_TOKEN` | Both should work; prefer `AWS_SESSION_TOKEN` for modern AWS SDK versions | *** ### 7. Debugging tips | Task | Command / Action | | ---------------------------------- | ------------------------------------------------------ | | **Enable debug output** | `p0 aws permission-set assume MyPermissionSet --debug` | | **Check P0 login status** | `p0 login` (prompts if session is expired) | | **List available accounts** | `p0 ls aws account` | | **List available permission sets** | `p0 ls aws permission-set --account ` | | **Verify AWS credentials** | After assuming, run `aws sts get-caller-identity` | | **Clear cached AWS IDC tokens** | Remove `~/.p0/cache/aws-idc-*` files and retry | {% hint style="info" %} Note: if the P0\_ORG env var is set, the cache may live at `{P0_PATH}/cache-{P0_ORG}`, otherwise it lives at `{PO_PATH}/cache`. {% endhint %} *** ### 8. Resources for help {% hint style="info" %} If you continue to experience issues: * Check the [P0 status page](https://status.p0.app) for service disruptions * Review the [AWS integration documentation](/integrations/resource-integrations/aws.md) * Contact P0 support with debug output from `p0 aws permission-set assume --debug` {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.p0.dev/p0-cli/troubleshooting/p0-aws-permission-set-assume.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.