# p0 grant #### **1. Authentication & Authorization Failures** | **Error Message** | **Cause** | **Resolution** | | -------------------------------------------------------- | ------------------------------------------------------ | ------------------------------------------------------------------------- | | Please run 'p0 login \' to use the P0 CLI. | You aren’t logged in or your identity file is missing. | Execute `p0 login ` and complete the OIDC flow. | | Could not load credentials for "\" | Corrupt or expired credential cache. | Remove the cache directory (`rm -rf ~/.p0/cache`) and re-run `p0 login` | | Silent hang or immediate exit without output | Token auto-refresh failed but no explicit error. | Clear credentials (p0 logout or delete `identity.json`) and log in again. | *** #### **2. Network & Connectivity Issues**
Error MessageCauseResolution
Network error: Unable to reach the server at https://<tenant>/o/<org>/command/.Cannot connect to the P0 API endpoint (DNS, firewall, proxy)- Verify internet connectivity and DNS resolution.- Check appUrl in ~/.p0/config.json.- Whitelist the endpoint in your proxy/firewall.
fetch failedUnderlying fetch call timed out or TLS handshake failed.- Test with curl https://<tenant>/o/<org>/command/.- Ensure system clock is correct to avoid TLS certificate errors.
*** #### **3. Command Usage & Flag Errors** | **Error Message** | **Cause** | **Resolution** | | ---------------------------------------- | --------------------------------------- | ------------------------------------------------------------------ | | Unknown argument: --foo | Typo or unsupported flag provided. | Run p0 grant \ --help to view valid flags. | | Error: Missing required argument: to | You omitted the --to flag. | Add --to (or the appropriate identifier). | | Invalid duration format for '--duration' | The duration string couldn't be parsed. | Use human-friendly durations: 10 minutes, 2 hours, 5 days, 1 week. | *** #### **4. Resource & Principal Validation** | **Error Message** | **Cause** | **Resolution** | | ------------------------------------- | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | | Invalid principal: \ | The --to value isn't recognized (typo or non-existent). | Confirm the principal's email or service-account string is correct and exists in your identity provider. | | Resource not found: | The specified resource args are wrong or don't exist. | Validate the ARN, role name, group name, database name, etc., directly in the target system's console or CLI. | | Permission denied (from provider API) | Your P0 role or provider credentials lack the right privileges | Ensure your P0 permissions and your provider-side role allow you to request this access. | *** #### **--wait** #### **Specific Issues** * **Hangs beyond 5 minutes** * Cause: Provisioning endpoint is unresponsive or delayed. * Resolution: Rerun without --wait, then check the P0 UI or logs for the request status. * **Exits with code 2 or 1** * code 2 → Denied * code 1 → Error during provisioning * Resolution: Inspect the printed message, adjust your parameters, or contact your platform team for more details. *** #### **5. Backend & Server Errors** | **Error Message** | **Cause** | **Resolution** | | ------------------------- | ------------------------------------- | ------------------------------------------------------------------------------------------------- | | 500 Internal Server Error | Unexpected failure in the P0 backend. | Retry after a short wait. If persistent, capture your command, timestamp, and contact P0 support. | | 429 Too Many Requests | You've hit rate limits on the P0 API. | Space out your requests, or batch them to stay within limits. | *** #### **7. Debugging Tips** 1. **Enable CLI Debug Logging** ```plaintext P0_CLI_DEBUG=true p0 grant … ``` 1. Shows detailed HTTP and error traces in stderr. 2. **Test the API Directly** ```plaintext curl -X POST https:///o//command/ \ -H "Authorization: Bearer $(p0 debug-token)" \ -d '{"argv":["grant",…],"scriptName":"p0"}' ``` 2. Examine raw JSON for clearer error fields. 3. **Validate Local Config** ```plaintext jq .appUrl ~/.p0/config.json ``` 3. Ensure the appUrl points at your P0 tenant. 4. **Cross-Check with Native CLIs** If a provider-side error occurs, verify directly in that platform's CLI or console (for example, aws iam get-role …, gcloud projects get-iam-policy …). *** If you encounter an issue not covered here, please gather: * Exact p0 grant command you ran * Full error output (copy/paste) * Debug logs (P0\_CLI\_DEBUG=true) Then reach out to your P0 support team for assistance.