# p0 aws role assume This troubleshooting guide for `p0 aws role assume` is organized into common issue categories. Each section uses a table to show symptoms, causes, and resolutions. *** ### 1. Authentication & session failures | Symptom | Cause | Resolution | | -------------------------------------------------------------------------- | -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | | `Your Okta session has expired. Please log out of Okta in your browser...` | Okta OIDC tokens have expired and cannot be refreshed | Log out of Okta in your browser, then run the command again to trigger a fresh login flow | | `Invalid provider configuration - unable to perform token exchange...` | Okta app is not configured for OAuth 2.0 token exchange | Contact your P0 administrator to verify the Okta AWS Account Federation app configuration | | `No SAML assertion obtained from Okta.` | SAML response parsing failed or Okta returned an unexpected response | Enable `--debug` to see the full response; verify Okta app is correctly configured for SAML | *** ### 2. Role availability errors | Symptom | Cause | Resolution | | ------------------------------------------------- | ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | | `Role {role} not available. Available roles: ...` | The requested role is not assigned to your Okta user | Request access to the role first with `p0 request aws role `, or contact your administrator to assign the role in Okta | | Role appears in "Available roles" but still fails | Okta eventual consistency delay after role assignment | Wait 1-2 minutes and retry; the command has built-in retry logic but may need additional time | *** ### 3. Account configuration errors | Symptom | Cause | Resolution | | ---------------------------------------------------------------------------- | ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Account {label} is not configured for Okta SAML login.` | AWS account uses Identity Center (IDC) instead of Okta SAML federation | The `role` subcommand is only available for Okta SAML federated accounts. Run `p0 aws --help` to see the correct subcommand (`permission-set`) for your IDC account. | | `P0 is not installed on any AWS account` | No AWS accounts have the P0 integration installed | Ask your P0 administrator to install the AWS integration on your account | | `P0 is not installed on AWS account {account}` | The specified account ID or alias does not exist in P0 | Verify the account ID with `p0 ls aws account` or check with your administrator | | `Please select a unique AWS account with --account; valid accounts are: ...` | Multiple AWS accounts are configured and none was specified | Add `--account ` to specify which account, or set `P0_AWS_ACCOUNT` environment variable | *** ### 4. Request approval issues | Symptom | Cause | Resolution | | ------------------------------------------------- | ------------------------------------------ | ---------------------------------------------------------------------------------------------------- | | `Your request was denied` | An approver denied the P0 access request | Check your Slack/notification channel for denial reason; adjust your request or contact the approver | | `Your request encountered an error` | P0 request processing failed | Check P0 dashboard for request details; contact P0 support if the issue persists | | `Your request did not complete within 5 minutes.` | Request approval or provisioning timed out | Check notification channel for approval status; approvers may not have seen the request | *** ### 5. Network & connectivity issues | Symptom | Cause | Resolution | | ---------------------------------------------- | ----------------------------------------------- | ----------------------------------------------------------------------------------------------- | | `connect ECONNREFUSED` to Okta or P0 endpoints | Outbound HTTPS is blocked by firewall or proxy | Allow HTTPS to your Okta domain and `api.p0.app`; set `HTTPS_PROXY` if behind a corporate proxy | | `getaddrinfo ENOTFOUND` | DNS resolution failure | Verify DNS can resolve your Okta domain and P0 API endpoint | | Command hangs during authentication | Browser-based login is required but cannot open | Ensure a browser is available; check if running in a headless environment | *** ### 6. Credential issues | Symptom | Cause | Resolution | | ----------------------------------------------------- | ------------------------------------------------------------------------- | ------------------------------------------------------------------------ | | AWS commands fail with `ExpiredToken` | Session credentials have expired (1 hour lifetime) | Re-run `p0 aws role assume` to obtain fresh credentials | | Credentials work in one terminal but not another | Environment variables not set in the other terminal | Run the `$(p0 aws role assume ...)` command in each terminal session | | `AWS_SECURITY_TOKEN` vs `AWS_SESSION_TOKEN` confusion | Both are set for compatibility; some older tools use `AWS_SECURITY_TOKEN` | Both should work; prefer `AWS_SESSION_TOKEN` for modern AWS SDK versions | *** ### 7. Debugging tips | Task | Command / Action | | ------------------------------------ | -------------------------------------------------- | | **Enable debug output** | `p0 aws role assume MyRole --debug` | | **Check P0 login status** | `p0 login` (prompts if session is expired) | | **List available accounts** | `p0 ls aws account` | | **List available roles** | `p0 ls aws role --account ` | | **Skip request for existing access** | `p0 aws role assume MyRole --no-request` | | **Verify AWS credentials** | After assuming, run `aws sts get-caller-identity` | | **Check Okta session** | Log out of Okta in browser, then retry the command | *** ### 8. Resources for help {% hint style="info" %} If you continue to experience issues: * Check the [P0 status page](https://status.p0.app) for service disruptions * Review the [AWS integration documentation](/integrations/resource-integrations/aws.md) * Contact P0 support with debug output from `p0 aws role assume --debug` {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.p0.dev/p0-cli/troubleshooting/p0-aws-role-assume.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.