p0cli: grant: Troubleshooting
Last updated: May 1, 2025
Troubleshooting Guide: p0 grant
When using p0 grant, you may encounter errors due to authentication issues, network problems, invalid inputs, or backend failures. This guide walks through common scenarios, their root causes, and how to resolve them.
1. Authentication & Authorization Failures
Error Message Cause Resolution | ||
Please run 'p0 login <organization>' to use the P0 CLI. | You haven’t logged in or your identity file is missing. | Execute p0 login <your-org-slug> and complete the OIDC flow. |
Could not load credentials for "<name>" | Corrupt or expired credential cache. | Remove the cache with rm -rf ~/.p0/identity-cache and re-run p0 login. |
Silent hang or authentication failure | Auto-refresh of an expired token failed. | Manually clear credentials (p0 logout or delete ~/.p0/identity.json), then log in again. |
2. Network & Connectivity Issues
Error Message Cause Resolution | ||
Network error: Unable to reach the server at https://<tenant>/o/<org>/command/. | Cannot connect to the P0 API endpoint (DNS, firewall, proxy) | - Verify internet connectivity and DNS resolution.- Check appUrl in ~/.p0/config.json.- Whitelist the endpoint in your proxy/firewall. |
fetch failed | Underlying fetch call timed out or TLS handshake failed. | - Test with curl https://<tenant>/o/<org>/command/.- Ensure system clock is correct to avoid TLS certificate errors. |
3. Command Usage & Flag Errors
Error Message Cause Resolution | ||
Unknown argument: --foo | Typo or unsupported flag provided. | Run p0 grant <provider> --help to view valid flags. |
Error: Missing required argument: to | You omitted the --to flag. | Add --to alice@example.com (or the appropriate identifier). |
Error: Missing required argument: requested-duration | You omitted --requested-duration. | Specify --requested-duration "4 hours" (or another valid duration). |
Invalid duration format for '--requested-duration' | The duration string couldn’t be parsed. | Use human-friendly durations: 10 minutes, 2 hours, 5 days, 1 week. |
4. Resource & Principal Validation
Error Message Cause Resolution | ||
Invalid principal: <value> | The --to value isn’t recognized (typo or non-existent). | Confirm the principal’s email or service-account string is correct and exists in your identity provider. |
Resource not found: <resource> | The specified resource args are incorrect or don’t exist. | Validate the ARN, role name, group name, database name, etc., directly in the target system’s console or CLI. |
Permission denied (from provider API) | Your P0 role or provider credentials lack the right privileges | Ensure your P0 permissions and your provider-side role allow you to request this access. |
5.
--wait
Specific Issues
Hangs beyond 5 minutes
Cause: Provisioning endpoint is unresponsive or delayed.
Resolution: Rerun without --wait, then check the P0 UI or logs for the request status.
Exits with code 2 or 1
code 2 → Denied
code 1 → Error during provisioning
Resolution: Inspect the printed message, adjust your parameters, or contact your platform team for more details.
6. Backend & Server Errors
Error Message Cause Resolution | ||
500 Internal Server Error | Unexpected failure in the P0 backend. | Retry after a short wait. If persistent, capture your command, timestamp, and contact P0 support. |
429 Too Many Requests | You’ve hit rate limits on the P0 API. | Space out your requests, or batch them to stay within limits. |
7. Debugging Tips
Enable CLI Debug Logging
P0_CLI_DEBUG=true p0 grant … Shows detailed HTTP and error traces in stderr.
Test the API Directly
curl -X POST https://<tenant>/o/<org>/command/ \
-H "Authorization: Bearer $(p0 debug-token)" \
-d '{"argv":["grant",…],"scriptName":"p0"}'Examine raw JSON for clearer error fields.
Validate Local Config
jq .appUrl ~/.p0/config.jsonEnsure the appUrl points at your P0 tenant.
Cross-Check with Native CLIs
If a provider-side error occurs, verify directly in that platform’s CLI or console (e.g., aws iam get-role …, gcloud projects get-iam-policy …).
If you encounter an issue not covered here, please gather:
Exact p0 grant command you ran
Full error output (copy/paste)
Debug logs (P0_CLI_DEBUG=true)
Then reach out to your P0 support team for assistance.