p0cli: ssh-resolve: How to use the ssh-resolve command
Last updated: May 2, 2025
Overview
The p0 ssh-resolve command provisions and prepares everything you need for an SSH session to a P0-managed instance. It:
Creates (or reuses) an approved SSH access request
Generates any provider-specific credentials or certificates
Writes a tiny SSH config file under ~/.p0/ssh/configs/<destination>.config
Leaves you ready to run ssh <destination> (with an Include stanza) or specify the generated config via -F
Use p0 ssh-resolve when you want to pre-stage your SSH configuration—ideal for automation, editor integrations, or when you need a clean, repeatable setup.
Prerequisites
P0 CLI, installed and logged in:
p0 login <your-org-slug>Your organization must have an SSH integration enabled for AWS, Azure, or GCP.
Ensure you have network access to:
P0’s API (https://<tenant>/o/<org-slug>/command/)
The target instance via your cloud provider’s proxy (SSM, IAP, or Azure tunnel).
Syntax
p0 ssh-resolve <destination>
[--parent <parent-resource>]
[--provider <aws|azure|gcloud>]
[-q|--quiet]
[--debug]Parameter | Required | Description |
<destination> | Yes | P0’s session alias for your instance (no slashes), e.g. prod-web-01. |
--parent <string> | No | The containing resource (account ID, project, subscription) to scope lookups. |
--provider <…> | No | Force a specific cloud SSH integration: aws, azure, or gcloud. |
-q, --quiet | No | Suppress all output (useful for scripting). |
--debug | No | Print extra diagnostic messages during provisioning and file writes. |
What Happens Under the Hood
Authentication
Loads your cached identity (or forces login) via Firebase/OIDC.
Destination Validation
Ensures the alias contains no /.
Access Request
Calls P0’s backend to create or reuse an approved-only SSH session request.
Key/Certificate Generation
Invokes any provider plugin’s generateKeys to produce a private key (and optional certificate).
Defaults to ~/.p0/ssh/id_rsa if no plugin-specific keys are created.
Temporary JSON
Writes the raw request payload to a safe temporary file (for use by ssh-proxy).
SSH Config Creation
Constructs and writes:
~/.p0/ssh/configs/<destination>.configcontaining:
Host <destination>
Hostname <destination>
User <linuxUserName>
IdentityFile <private-key-path>
[CertificateFile <certificate-path>]
PasswordAuthentication no
ProxyCommand p0 ssh-proxy %h --port %p --provider <provider> \
--identityFile <private-key-path> --requestJson <temp-json-path>Usage Examples
1. AWS Instance
# Pre-stage SSH config for 'prod-web-01'
p0 ssh-resolve prod-web-01 --provider aws --debug
# Use the generated config:
ssh -F ~/.p0/ssh/configs/prod-web-01.config prod-web-01SSH config file is written to ~/.p0/ssh/configs/prod-web-01.config.
Replace --debug with -q for silent operation.
2. GCP Virtual Machine
# Resolve with project scoping
p0 ssh-resolve analytics-vm --provider gcloud --parent my-gcp-project
# Then simply:
ssh -F ~/.p0/ssh/configs/analytics-vm.config analytics-vm--parent tells P0 which GCP project to search.
3. Azure VM (Default Port 22)
p0 ssh-resolve azure-vm --provider azure
ssh -F ~/.p0/ssh/configs/azure-vm.config azure-vmAzure integration only supports port 22; no need to specify --port.
4. Fully Automated in Scripts
dest=my-app
# Provision and write config without noise
p0 ssh-resolve "$dest" --provider aws --quiet
# Launch SSH using the new config
ssh -F ~/.p0/ssh/configs/"$dest".config "$dest"Tips & Best Practices
Include in ~/.ssh/config
Add at top of your SSH config:
Include ~/.p0/ssh/configs/*.configThen you can ssh prod-web-01 directly.
Rotate Easily
Run p0 ssh-resolve <dest> again to refresh credentials or pick up policy changes.
Use %h and %p in custom configs to avoid hard-coding hostnames and ports.
Suppress Output
Use -q in CI/CD pipelines to avoid log clutter.
With p0 ssh-resolve, you can standardize and automate SSH configuration for any P0-managed instance—no manual editing or guesswork required.