# p0 aws permission-set assume This troubleshooting guide for `p0 aws permission-set assume` is organized into common issue categories. Each section uses a table to show symptoms, causes, and resolutions. *** ### 1. Authentication & session failures | Symptom | Cause | Resolution | | -------------------------------------------------- | ---------------------------------------------------------- | --------------------------------------------------------------------- | | Browser opens but authentication fails | AWS Identity Center session expired or user not authorized | Log in to AWS Identity Center in your browser, then retry the command | | Device authorization times out | User did not complete browser authentication in time | Retry the command and complete the browser authentication promptly | | `Timed out fetching AWS credentials. Try again...` | Delay between token issuance and availability for exchange | Retry the command; if issue persists, contact | *** ### 2. Permission set availability errors | Symptom | Cause | Resolution | | --------------------------------------------- | --------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | | Permission set not found or access denied | The requested permission set is not assigned to your user | Request access to the permission set first with `p0 request aws permission-set `, or contact your administrator | | Access denied after successful authentication | Permission set exists but user lacks assignment | Contact your AWS Identity Center administrator to assign the permission set | *** ### 3. Account configuration errors | Symptom | Cause | Resolution | | ---------------------------------------------------------------------------- | ---------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `Unexpected login type. Expected IDC to be enabled for account {account}` | AWS account uses Okta SAML federation instead of Identity Center | The `permission-set` subcommand is only available for Identity Center accounts. Run `p0 aws --help` to see the correct subcommand (`role`) for your account. | | `P0 is not installed on any AWS account` | No AWS accounts have the P0 integration installed | Ask your P0 administrator to install the AWS integration on your account | | `P0 is not installed on AWS account {account}` | The specified account ID or alias does not exist in P0 | Verify the account ID with `p0 ls aws account` or check with your administrator | | `Please select a unique AWS account with --account; valid accounts are: ...` | Multiple AWS accounts are configured and none was specified | Add `--account ` to specify which account, or set `P0_AWS_ACCOUNT` environment variable | | `Could not find an AWS account ID for this access request` | Account ID not resolved during credential exchange | Specify the account explicitly with `--account ` | *** ### 4. Request approval issues | Symptom | Cause | Resolution | | ------------------------------------------------- | ------------------------------------------ | ---------------------------------------------------------------------------------------------------- | | `Your request was denied` | An approver denied the P0 access request | Check your Slack/notification channel for denial reason; adjust your request or contact the approver | | `Your request encountered an error` | P0 request processing failed | Check P0 dashboard for request details; contact P0 support if the issue persists | | `Your request did not complete within 5 minutes.` | Request approval or provisioning timed out | Check notification channel for approval status; approvers may not have seen the request | *** ### 5. Network & connectivity issues | Symptom | Cause | Resolution | | --------------------------------------------- | ---------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | | `connect ECONNREFUSED` to AWS or P0 endpoints | Outbound HTTPS is blocked by firewall or proxy | Allow HTTPS to AWS OIDC endpoints (`oidc.{region}.amazonaws.com`), AWS SSO portal (`portal.sso.{region}.amazonaws.com`), and `api.p0.app` | | `getaddrinfo ENOTFOUND` | DNS resolution failure | Verify DNS can resolve AWS endpoints and P0 API endpoint | | Command hangs during authentication | Browser-based login is required but can't open | Ensure a browser is available; check if running in a headless environment | *** ### 6. Credential issues | Symptom | Cause | Resolution | | ----------------------------------------------------- | ------------------------------------------------------------------------- | ------------------------------------------------------------------------------ | | AWS commands fail with `ExpiredToken` | Session credentials have expired (1 hour lifetime) | Re-run `p0 aws permission-set assume` to obtain fresh credentials | | Credentials work in one terminal but not another | Environment variables not set in the other terminal | Run the `$(p0 aws permission-set assume ...)` command in each terminal session | | `AWS_SECURITY_TOKEN` vs `AWS_SESSION_TOKEN` confusion | Both are set for compatibility; some older tools use `AWS_SECURITY_TOKEN` | Both should work; prefer `AWS_SESSION_TOKEN` for modern AWS SDK versions | *** ### 7. Debugging tips | Task | Command / Action | | ---------------------------------- | ------------------------------------------------------ | | **Enable debug output** | `p0 aws permission-set assume MyPermissionSet --debug` | | **Check P0 login status** | `p0 login` (prompts if session is expired) | | **List available accounts** | `p0 ls aws account` | | **List available permission sets** | `p0 ls aws permission-set --account ` | | **Verify AWS credentials** | After assuming, run `aws sts get-caller-identity` | | **Clear cached AWS IDC tokens** | Remove `~/.p0/cache/aws-idc-*` files and retry | {% hint style="info" %} Note: if the P0\_ORG env var is set, the cache may live at `{P0_PATH}/cache-{P0_ORG}`, otherwise it lives at `{PO_PATH}/cache`. {% endhint %} *** ### 8. Resources for help {% hint style="info" %} If you continue to experience issues: * Check the [P0 status page](https://status.p0.app) for service disruptions * Review the [AWS integration documentation](https://docs.p0.dev/integrations/resource-integrations/aws) * Contact P0 support with debug output from `p0 aws permission-set assume --debug` {% endhint %}