# p0 aws role assume This troubleshooting guide for `p0 aws role assume` is organized into common issue categories. Each section uses a table to show symptoms, causes, and resolutions. *** ### 1. Authentication & session failures | Symptom | Cause | Resolution | | -------------------------------------------------------------------------- | -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | | `Your Okta session has expired. Please log out of Okta in your browser...` | Okta OIDC tokens have expired and cannot be refreshed | Log out of Okta in your browser, then run the command again to trigger a fresh login flow | | `Invalid provider configuration - unable to perform token exchange...` | Okta app is not configured for OAuth 2.0 token exchange | Contact your P0 administrator to verify the Okta AWS Account Federation app configuration | | `No SAML assertion obtained from Okta.` | SAML response parsing failed or Okta returned an unexpected response | Enable `--debug` to see the full response; verify Okta app is correctly configured for SAML | *** ### 2. Role availability errors | Symptom | Cause | Resolution | | ------------------------------------------------- | ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | | `Role {role} not available. Available roles: ...` | The requested role is not assigned to your Okta user | Request access to the role first with `p0 request aws role `, or contact your administrator to assign the role in Okta | | Role appears in "Available roles" but still fails | Okta eventual consistency delay after role assignment | Wait 1-2 minutes and retry; the command has built-in retry logic but may need additional time | *** ### 3. Account configuration errors | Symptom | Cause | Resolution | | ---------------------------------------------------------------------------- | ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Account {label} is not configured for Okta SAML login.` | AWS account uses Identity Center (IDC) instead of Okta SAML federation | The `role` subcommand is only available for Okta SAML federated accounts. Run `p0 aws --help` to see the correct subcommand (`permission-set`) for your IDC account. | | `P0 is not installed on any AWS account` | No AWS accounts have the P0 integration installed | Ask your P0 administrator to install the AWS integration on your account | | `P0 is not installed on AWS account {account}` | The specified account ID or alias does not exist in P0 | Verify the account ID with `p0 ls aws account` or check with your administrator | | `Please select a unique AWS account with --account; valid accounts are: ...` | Multiple AWS accounts are configured and none was specified | Add `--account ` to specify which account, or set `P0_AWS_ACCOUNT` environment variable | *** ### 4. Request approval issues | Symptom | Cause | Resolution | | ------------------------------------------------- | ------------------------------------------ | ---------------------------------------------------------------------------------------------------- | | `Your request was denied` | An approver denied the P0 access request | Check your Slack/notification channel for denial reason; adjust your request or contact the approver | | `Your request encountered an error` | P0 request processing failed | Check P0 dashboard for request details; contact P0 support if the issue persists | | `Your request did not complete within 5 minutes.` | Request approval or provisioning timed out | Check notification channel for approval status; approvers may not have seen the request | *** ### 5. Network & connectivity issues | Symptom | Cause | Resolution | | ---------------------------------------------- | ----------------------------------------------- | ----------------------------------------------------------------------------------------------- | | `connect ECONNREFUSED` to Okta or P0 endpoints | Outbound HTTPS is blocked by firewall or proxy | Allow HTTPS to your Okta domain and `api.p0.app`; set `HTTPS_PROXY` if behind a corporate proxy | | `getaddrinfo ENOTFOUND` | DNS resolution failure | Verify DNS can resolve your Okta domain and P0 API endpoint | | Command hangs during authentication | Browser-based login is required but cannot open | Ensure a browser is available; check if running in a headless environment | *** ### 6. Credential issues | Symptom | Cause | Resolution | | ----------------------------------------------------- | ------------------------------------------------------------------------- | ------------------------------------------------------------------------ | | AWS commands fail with `ExpiredToken` | Session credentials have expired (1 hour lifetime) | Re-run `p0 aws role assume` to obtain fresh credentials | | Credentials work in one terminal but not another | Environment variables not set in the other terminal | Run the `$(p0 aws role assume ...)` command in each terminal session | | `AWS_SECURITY_TOKEN` vs `AWS_SESSION_TOKEN` confusion | Both are set for compatibility; some older tools use `AWS_SECURITY_TOKEN` | Both should work; prefer `AWS_SESSION_TOKEN` for modern AWS SDK versions | *** ### 7. Debugging tips | Task | Command / Action | | ------------------------------------ | -------------------------------------------------- | | **Enable debug output** | `p0 aws role assume MyRole --debug` | | **Check P0 login status** | `p0 login` (prompts if session is expired) | | **List available accounts** | `p0 ls aws account` | | **List available roles** | `p0 ls aws role --account ` | | **Skip request for existing access** | `p0 aws role assume MyRole --no-request` | | **Verify AWS credentials** | After assuming, run `aws sts get-caller-identity` | | **Check Okta session** | Log out of Okta in browser, then retry the command | *** ### 8. Resources for help {% hint style="info" %} If you continue to experience issues: * Check the [P0 status page](https://status.p0.app) for service disruptions * Review the [AWS integration documentation](https://docs.p0.dev/integrations/resource-integrations/aws) * Contact P0 support with debug output from `p0 aws role assume --debug` {% endhint %}