# p0 grant

#### **1. Authentication & Authorization Failures** <a href="#id-1-authentication-and-authorization-failures" id="id-1-authentication-and-authorization-failures"></a>

| **Error Message**                                        | **Cause**                                              | **Resolution**                                                            |
| -------------------------------------------------------- | ------------------------------------------------------ | ------------------------------------------------------------------------- |
| Please run 'p0 login \<organization>' to use the P0 CLI. | You aren’t logged in or your identity file is missing. | Execute `p0 login <ORG ID>` and complete the OIDC flow.                   |
| Could not load credentials for "\<name>"                 | Corrupt or expired credential cache.                   | Remove the cache directory (`rm -rf ~/.p0/cache`) and re-run `p0 login`   |
| Silent hang or immediate exit without output             | Token auto-refresh failed but no explicit error.       | Clear credentials (p0 logout or delete `identity.json`) and log in again. |

***

#### **2. Network & Connectivity Issues** <a href="#id-2-network-and-connectivity-issues" id="id-2-network-and-connectivity-issues"></a>

<table data-header-hidden><thead><tr><th width="249.234375"></th><th></th><th></th></tr></thead><tbody><tr><td><strong>Error Message</strong></td><td><strong>Cause</strong></td><td><strong>Resolution</strong></td></tr><tr><td>Network error: Unable to reach the server at https://&#x3C;tenant>/o/&#x3C;org>/command/.</td><td>Cannot connect to the P0 API endpoint (DNS, firewall, proxy)</td><td>- Verify internet connectivity and DNS resolution.- Check appUrl in ~/.p0/config.json.- Whitelist the endpoint in your proxy/firewall.</td></tr><tr><td>fetch failed</td><td>Underlying fetch call timed out or TLS handshake failed.</td><td>- Test with curl https://&#x3C;tenant>/o/&#x3C;org>/command/.- Ensure system clock is correct to avoid TLS certificate errors.</td></tr></tbody></table>

***

#### **3. Command Usage & Flag Errors** <a href="#id-3-command-usage-and-flag-errors" id="id-3-command-usage-and-flag-errors"></a>

| **Error Message**                        | **Cause**                               | **Resolution**                                                     |
| ---------------------------------------- | --------------------------------------- | ------------------------------------------------------------------ |
| Unknown argument: --foo                  | Typo or unsupported flag provided.      | Run p0 grant \<provider> --help to view valid flags.               |
| Error: Missing required argument: to     | You omitted the --to flag.              | Add --to <alice@example.com> (or the appropriate identifier).      |
| Invalid duration format for '--duration' | The duration string couldn't be parsed. | Use human-friendly durations: 10 minutes, 2 hours, 5 days, 1 week. |

***

#### **4. Resource & Principal Validation** <a href="#id-4-resource-and-principal-validation" id="id-4-resource-and-principal-validation"></a>

| **Error Message**                     | **Cause**                                                      | **Resolution**                                                                                                |
| ------------------------------------- | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- |
| Invalid principal: \<value>           | The --to value isn't recognized (typo or non-existent).        | Confirm the principal's email or service-account string is correct and exists in your identity provider.      |
| Resource not found:                   | The specified resource args are wrong or don't exist.          | Validate the ARN, role name, group name, database name, etc., directly in the target system's console or CLI. |
| Permission denied (from provider API) | Your P0 role or provider credentials lack the right privileges | Ensure your P0 permissions and your provider-side role allow you to request this access.                      |

***

#### **--wait** <a href="#wait" id="wait"></a>

#### **Specific Issues** <a href="#specific-issues" id="specific-issues"></a>

* **Hangs beyond 5 minutes**
  * Cause: Provisioning endpoint is unresponsive or delayed.
  * Resolution: Rerun without --wait, then check the P0 UI or logs for the request status.
* **Exits with code 2 or 1**
  * code 2 → Denied
  * code 1 → Error during provisioning
  * Resolution: Inspect the printed message, adjust your parameters, or contact your platform team for more details.

***

#### **5. Backend & Server Errors** <a href="#id-5-backend-and-server-errors" id="id-5-backend-and-server-errors"></a>

| **Error Message**         | **Cause**                             | **Resolution**                                                                                    |
| ------------------------- | ------------------------------------- | ------------------------------------------------------------------------------------------------- |
| 500 Internal Server Error | Unexpected failure in the P0 backend. | Retry after a short wait. If persistent, capture your command, timestamp, and contact P0 support. |
| 429 Too Many Requests     | You've hit rate limits on the P0 API. | Space out your requests, or batch them to stay within limits.                                     |

***

#### **7. Debugging Tips** <a href="#id-7-debugging-tips" id="id-7-debugging-tips"></a>

1. **Enable CLI Debug Logging**

```plaintext
P0_CLI_DEBUG=true p0 grant … 
```

1. Shows detailed HTTP and error traces in stderr.
2. **Test the API Directly**

```plaintext
curl -X POST https://<tenant>/o/<org>/command/ \
  -H "Authorization: Bearer $(p0 debug-token)" \
  -d '{"argv":["grant",…],"scriptName":"p0"}'
```

2. Examine raw JSON for clearer error fields.
3. **Validate Local Config**

```plaintext
jq .appUrl ~/.p0/config.json
```

3. Ensure the appUrl points at your P0 tenant.
4. **Cross-Check with Native CLIs**

   If a provider-side error occurs, verify directly in that platform's CLI or console (for example, aws iam get-role …, gcloud projects get-iam-policy …).

***

If you encounter an issue not covered here, please gather:

* Exact p0 grant command you ran
* Full error output (copy/paste)
* Debug logs (P0\_CLI\_DEBUG=true)

Then reach out to your P0 support team for assistance.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/p0-cli/troubleshooting/p0-grant.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.