p0 grant
1. Authentication & Authorization Failures
Error Message
Cause
Resolution
Please run 'p0 login <organization>' to use the P0 CLI.
You aren’t logged in or your identity file is missing.
Execute p0 login <ORG ID> and complete the OIDC flow.
Could not load credentials for "<name>"
Corrupt or expired credential cache.
Remove the cache directory (rm -rf ~/.p0/cache) and re-run p0 login
Silent hang or immediate exit without output
Token auto-refresh failed but no explicit error.
Clear credentials (p0 logout or delete identity.json) and log in again.
2. Network & Connectivity Issues
Error Message
Cause
Resolution
Network error: Unable to reach the server at https://<tenant>/o/<org>/command/.
Cannot connect to the P0 API endpoint (DNS, firewall, proxy)
- Verify internet connectivity and DNS resolution.- Check appUrl in ~/.p0/config.json.- Whitelist the endpoint in your proxy/firewall.
fetch failed
Underlying fetch call timed out or TLS handshake failed.
- Test with curl https://<tenant>/o/<org>/command/.- Ensure system clock is correct to avoid TLS certificate errors.
3. Command Usage & Flag Errors
Error Message
Cause
Resolution
Unknown argument: --foo
Typo or unsupported flag provided.
Run p0 grant <provider> --help to view valid flags.
Error: Missing required argument: to
You omitted the --to flag.
Add --to [email protected] (or the appropriate identifier).
Error: Missing required argument: requested-duration
You omitted --requested-duration.
Specify --requested-duration "4 hours" (or another valid duration).
Invalid duration format for '--requested-duration'
The duration string couldn’t be parsed.
Use human-friendly durations: 10 minutes, 2 hours, 5 days, 1 week.
4. Resource & Principal Validation
Error Message
Cause
Resolution
Invalid principal: <value>
The --to value isn’t recognized (typo or non-existent).
Confirm the principal’s email or service-account string is correct and exists in your identity provider.
Resource not found: <resource>
The specified resource args are incorrect or don’t exist.
Validate the ARN, role name, group name, database name, etc., directly in the target system’s console or CLI.
Permission denied (from provider API)
Your P0 role or provider credentials lack the right privileges
Ensure your P0 permissions and your provider-side role allow you to request this access.
--wait
Specific Issues
Hangs beyond 5 minutes
Cause: Provisioning endpoint is unresponsive or delayed.
Resolution: Rerun without --wait, then check the P0 UI or logs for the request status.
Exits with code 2 or 1
code 2 → Denied
code 1 → Error during provisioning
Resolution: Inspect the printed message, adjust your parameters, or contact your platform team for more details.
5. Backend & Server Errors
Error Message
Cause
Resolution
500 Internal Server Error
Unexpected failure in the P0 backend.
Retry after a short wait. If persistent, capture your command, timestamp, and contact P0 support.
429 Too Many Requests
You’ve hit rate limits on the P0 API.
Space out your requests, or batch them to stay within limits.
7. Debugging Tips
Enable CLI Debug Logging
P0_CLI_DEBUG=true p0 grant … Shows detailed HTTP and error traces in stderr.
Test the API Directly
curl -X POST https://<tenant>/o/<org>/command/ \
-H "Authorization: Bearer $(p0 debug-token)" \
-d '{"argv":["grant",…],"scriptName":"p0"}'Examine raw JSON for clearer error fields.
Validate Local Config
jq .appUrl ~/.p0/config.jsonEnsure the appUrl points at your P0 tenant.
Cross-Check with Native CLIs
If a provider-side error occurs, verify directly in that platform’s CLI or console (e.g., aws iam get-role …, gcloud projects get-iam-policy …).
If you encounter an issue not covered here, please gather:
Exact p0 grant command you ran
Full error output (copy/paste)
Debug logs (P0_CLI_DEBUG=true)
Then reach out to your P0 support team for assistance.
Last updated