p0cli: grant: Grant another user Just in Time Access

Last updated: May 1, 2025

Overview

The p0 grant command lets you request time-limited access for a principal (user, service account, or group) to a specific resource in your organization’s platforms—AWS, Azure AD, GCP, Kubernetes, Okta, PostgreSQL, Snowflake, SSH, and Google Workspace. Unlike p0 allow (which sets up standing access), p0 grant issues ephemeral access requests that:

  1. Trigger the provisioning workflow in the target system

  2. Optionally wait until the request is approved or denied

  3. Report the outcome and exit with a status code

Use p0 grant when you need just-in-time access for troubleshooting, one-off tasks, or short-lived sessions.

Prerequisites

  • Authenticated CLI session

p0 login <organization-slug>

  • If you’re not logged in or your token expired, p0 grant will prompt you to authenticate.

  • Tenant configuration

    Confirm ~/.p0/config.json has the correct appUrl for your P0 tenant.

  • Network access

    Ensure HTTPS egress to https://<your-tenant>/o/<org-slug>/command/.

Syntax

p0 grant <provider> <subcommand> [resource args…]
    --to <principal>
    --requested-duration <duration>
    [--reason <text>]
    [-w|--wait]
    [--help]

  • <provider>

    One of:

aws, azure-ad, gcloud, k8s, okta, pg, snowflake, ssh, workspace

  • <subcommand> & resource args

    Vary by provider (see “Examples” or run p0 grant <provider> --help)

  • --to <principal>

    Required. Email or service-account identifier to receive access

  • --requested-duration <duration>

    Required. How long the granted session may last (e.g. 4 hours, 1 day)

  • --reason <text>

    (Optional) Justification for audit logs

  • -w, --wait

    (Optional) Block until the request is approved/denied (up to 5 minutes)

  • --help

    Show provider-specific subcommands and options

Duration formats:

Human-friendly strings such as 10 minutes, 2 hours, 5 days, 1 week.

Supported Providers

p0 grant aws        Amazon Web Services
p0 grant azure-ad   Entra ID
p0 grant gcloud     Google Cloud
p0 grant k8s        Kubernetes
p0 grant okta       Okta
p0 grant pg         PostgreSQL
p0 grant snowflake  Snowflake
p0 grant ssh        Secure Shell (SSH)
p0 grant workspace  Google Workspace

For detailed resource arguments per provider, append --help:

p0 grant aws --help
p0 grant gcloud --help
# …etc.

Examples

AWS: Ephemeral IAM Policy on a Resource

p0 grant aws resource arn:aws:s3:::my-bucket/* ReadOnlyAccess \
  --account 123456789012 \
  --to alice@example.com \
  --requested-duration '1 days'

  • Subcommand: resource <ARN> <policy…>

  • Account: AWS account ID

  • Outcome: Alice can assume ReadOnlyAccess on my-bucket/* for up to 1 day.

GCP: One-Time IAM Role

p0 grant gcloud role roles/viewer \
  --project my-gcp-project \
  --to bob@example.com \
  --requested-duration '12 hours'

  • Subcommand: role <role-name>

  • Project: GCP project ID

  • Outcome: Bob gains the viewer role on my-gcp-project for 12 hours.

SSH: Temporary Group Membership

p0 grant ssh group --name devs \
  --to charlie@example.com \
  --requested-duration '4 hours'

  • Subcommand: group --name <group-name>

  • Outcome: Charlie is added to the SSH access group devs for 4 hours.

Tips & Best Practices

  • Use --wait in scripts to know immediately if provisioning succeeded or failed.

  • Always include --reason for auditability, even if optional.

  • Omit --wait if you just want to fire off the request and check status later in the P0 UI.

  • Verify principals ahead of time (correct email or service-account string).

  • Test with --requested-duration set low (e.g. 1 minute) to validate your