Commit Graph
2625 Commits
Author SHA1 Message Date
Ishaan JaffandGitHub 825ea65b96 [Bug Fix] Responses API - Responses API failed if input containing ResponseReasoningItem (#13465)
* add test_responses_api_multi_turn_with_reasoning_and_structured_output

* fix transform_responses_api_request
2025-08-09 11:20:34 -07:00
Ishaan JaffandGitHub a843e876a8 [Feat] Working e2e flow for Responses API session management with media (#13456)
* add MultimodalContent on chat UI

* add multi modal img on chat ui

* utils for responses API imgs

* add code snippet with imgs

* chat UI add imgs

* add imge upload

* chat ui allow adding images

* fix chat send button

* fix button styles

* fix clear chat

* fixes session management

* fixes for session management

* QA fix _should_check_cold_storage_for_full_payload

* test_should_check_cold_storage_for_full_payload
2025-08-08 18:28:10 -07:00
Ishaan JaffandGitHub 3b65733af8 [Bug fix] - Error creating standard logging object - can't register atexit after shutdownLitellm fixes standard logging payload (#13436)
* fix: _generate_cold_storage_object_key

* _get_configured_cold_storage_custom_logger

* test_e2e_generate_cold_storage_object_key_runtime_error_handled
2025-08-08 12:38:26 -07:00
Jugal D. BhattandGitHub 51c2ff7c15 fix user membership issue (#13433) 2025-08-08 12:00:58 -07:00
Ishaan JaffandGitHub 3a35c82884 [Feat] Add reasoning_effort to OpenAIGPT5Config (#13434)
* add reasoning_effort toi OpenAIGPT5Config

* test_gpt5_supports_reasoning_effort
2025-08-08 11:57:12 -07:00
Thiago SalvatoreandGitHub c2ad858c83 fix(access group): allow access group on mcp tool retrieval (#13425)
* fix(access group): allow access group on mcp tool retrieval

* fix(test): fix broken tests and add test case for access group

* fix(mypy): fix typing issues
2025-08-08 08:55:46 -07:00
9761ba7c7a [Bug Fix] Responses api session management for streaming responses (#13396)
* fix proxy config

* fix(responses api): fix streaming ID consistency and tool format handling (#12640)

* fix(responses): ensure streaming chunk IDs use consistent encoding format

Fixes streaming ID inconsistency where streaming responses used raw provider IDs
while non-streaming responses used properly encoded IDs with provider context.

Changes:
- Updated LiteLLMCompletionStreamingIterator to accept provider context
- Added _encode_chunk_id() method using same logic as non-streaming responses
- Modified chunk transformation to encode all streaming item_ids with resp_ prefix
- Updated handlers to pass custom_llm_provider and litellm_metadata to streaming iterator

Impact:
- Streaming chunk IDs now format: resp_<base64_encoded_provider_context>
- Enables session continuity when using streaming response IDs as previous_response_id
- Allows provider detection and load balancing with streaming responses
- Maintains backward compatibility with existing streaming functionality

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(types): add explicit Optional[str] type annotation for model_id

This resolves MyPy type checking error where model_id could be None
but wasn't explicitly typed as Optional[str].

* fix(types): handle None case for litellm_metadata access

Prevents 'Item None has no attribute get' error by checking for None
before accessing litellm_metadata dictionary.

* test: add comprehensive tests for streaming ID consistency

Adds unit and E2E tests to verify streaming chunk IDs are properly encoded
with consistent format across streaming responses.

## Tests Added

### Unit Test (test_reasoning_content_transformation.py)
- `test_streaming_chunk_id_encoding()`: Validates the `_encode_chunk_id()` method
  correctly encodes chunk IDs with `resp_` prefix and provider context

### E2E Tests (test_e2e_openai_responses_api.py)
- `test_streaming_id_consistency_across_chunks()`: Tests that all streaming chunk IDs
  are properly encoded across multiple chunks in a real streaming response
- `test_streaming_response_id_as_previous_response_id()`: Tests the core use case -
  using streaming response IDs for session continuity with `previous_response_id`

## Key Testing Approach
- Uses **Gemini** (non-OpenAI model) to test the transformation logic rather than
  OpenAI passthrough, since the streaming ID consistency issue occurs when LiteLLM
  transforms responses rather than just passing through to native OpenAI responses API
- Tests validate that streaming chunk IDs now use same encoding as non-streaming responses
- Verifies session continuity works with streaming responses

Addresses @ishaan-jaff's request for unit tests covering the streaming ID consistency fix.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(lint): remove unused imports in transformation.py

Removes unused imports to fix CI linting errors:
- GenericResponseOutputItem
- OutputFunctionToolCall

* test: remove E2E tests from openai_endpoints_tests

Remove streaming ID consistency E2E tests as requested by @ishaan-jaff.
Keep only the mock/unit test in test_reasoning_content_transformation.py

* revert: remove streaming chunk ID encoding to original behavior

This reverts the streaming chunk ID encoding changes to understand the original issue better.
Original behavior was:
- Streaming chunks: raw provider IDs
- Streaming final response: raw IDs (PROBLEM!)
- Non-streaming final response: encoded IDs (correct)

The real issue: streaming final response IDs were not encoded, breaking session continuity.

* fix(responses): encode streaming final response IDs to match OpenAI behavior

Fixes streaming ID inconsistency to match OpenAI's Responses API behavior:
- Streaming chunks: raw message IDs (like OpenAI's msg_xxx)
- Final response: encoded IDs (like OpenAI's resp_xxx)

This enables session continuity by ensuring streaming final response IDs
have the same encoded format as non-streaming responses, allowing them
to be used as previous_response_id in follow-up requests.

Changes:
- Add custom_llm_provider and litellm_metadata to LiteLLMCompletionStreamingIterator
- Update handlers to pass provider context to streaming iterator
- Apply _update_responses_api_response_id_with_model_id to final streaming response
- Keep streaming chunks as raw IDs to match OpenAI format

Impact:
- Session continuity works with streaming responses
- Load balancing can detect provider from streaming final response IDs
- Format matches OpenAI's Responses API exactly

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* test: update unit test to match correct OpenAI-compatible behavior

Updates the unit test to verify streaming chunk IDs are raw (not encoded)
to match OpenAI's responses API format:
- Streaming chunks: raw message IDs (like msg_xxx)
- Final response: encoded IDs (like resp_xxx)

This reflects the correct behavior implemented in the fix.

---------

Co-authored-by: Claude <noreply@anthropic.com>

* cleanup

* TestBaseResponsesAPIStreamingIterator

---------

Co-authored-by: Javier de la Torre <jatorre@carto.com>
Co-authored-by: Claude <noreply@anthropic.com>
2025-08-07 20:13:24 -07:00
Ishaan Jaff 7695882d8a test_supports_tool_choice 2025-08-07 16:56:45 -07:00
Ishaan JaffandGitHub 2037037258 [Bug Fix] OpenAI gpt-5 series does not support "max_tokens" parameter and temperature values that are not = 1 (#13390)
* add OpenAIGPT5Config

* add map_openai_params for gpt5

* add OpenAIGPT5Config

* add OpenAI gpt 5 transform

* docs gpt 5 openai
2025-08-07 16:35:00 -07:00
Ishaan Jaff e8c081b8ff test_stream_chunk_builder_litellm_usage_chunks 2025-08-07 15:22:52 -07:00
Ishaan Jaff dbb651ea95 remove old mapped test 2025-08-07 13:51:50 -07:00
Ishaan JaffandGitHub 621b3dca7b [Bug Fix] Mistral Tool Calling - Grammar error: at 3(11): failed to compile JSON schema (#13389)
* test_claude_tool_use_with_gemini

* add _remove_json_schema_refs

* add _clean_tool_schema_for_mistral

* fixes mistral tool calls

* _remove_json_schema_refs

* fix - vertex, remove hardcoded test
2025-08-07 13:50:22 -07:00
Ishaan Jaff 984f91f4f5 test_completion_gemini_stream 2025-08-07 13:24:00 -07:00
Ishaan JaffandGitHub 08ac2aeb6d Revert "Fix SSO Logout | Create Unified Login Page with SSO and Username/Password Options (#12703)" (#13387)
This reverts commit a752d7acc9.
2025-08-07 13:13:05 -07:00
Ishaan JaffandGitHub 4d941c914e [Feat] Responses API Session Handling - Multi media support (#13347)
* rename ResponsesSessionHandler

* use ResponsesSessionHandler

* test session handler

* refactor ResponsesSessionHandler

* fix get_proxy_server_request_from_spend_log

* use constant for LITELLM_TRUNCATED_PAYLOAD_FIELD

* add _should_check_cold_storage_for_full_payload

* add get_class_type_for_custom_logger_name

* get_active_custom_logger_for_callback_name

* add get_proxy_server_request_from_cold_storage to CustomLogger

* add ColdStorageHandler

* start using cold storage integration

* add get_proxy_server_request_from_cold_storage

* fixes from manual testing

* s3 v2 fix getting region name

* ChatCompletionImageUrlObject

* use _get_configured_cold_storage_custom_logger

* fixes for _should_check_cold_storage_for_full_payload

* fix _download_object_from_s3

* test_s3_v2_with_cold_storage

* add cold_storage_object_key to StandardLoggingMetadata

* use get_proxy_server_request_from_cold_storage_with_object_key

* add cold_storage_object_key to SpendLogsMetadata

* add cold_storage_object_key

* get_proxy_server_request_from_cold_storage_with_object_key

* use get_proxy_server_request_from_cold_storage_with_object_key

* test responses API

* add get_proxy_server_request_from_cold_storage_with_object_key

* session handler fixes

* test session handler

* fix ruff checks

* _download_object_from_s3

* cleanup

* test

* lint fix

* test_e2e_cold_storage_successful_retrieval

* test_e2e_generate_cold_storage_object_key_successful

* test_async_gcs_pub_sub_v1

* test fix

* test fix

* test fix

* test_standard_logging_metadata_has_cold_storage_object_key_field

* test_sanitize_request_body_for_spend_logs_payload_basic

* test_transform_input_image_item_to_image_item_with_image_data
2025-08-07 10:59:53 -07:00
Anand KhinvasaraandGitHub 96dca4eff8 fix: 12152 - Redacted sensitive information logged in bedrock guardrails (#13356) 2025-08-07 08:42:11 -07:00
Edward D'AmatoandGitHub 30fc5b871c feat(integrations): allow setting of braintrust callback base url (#13368)
* feat(integrations): allow setting of braintrust callback base url

* chore(misc): remove extra additions due to merge
2025-08-07 08:40:11 -07:00
Ishaan Jaff dfada882f1 vtx test fix gemini-2.5-flash-lite 2025-08-07 00:11:10 -07:00
yeahyungandGitHub a92bf8173e Fix create, search vector store error (#13285)
* (#13284) add avector_store_create to route_type which doesn't require model

* (#13284) exclude hidden params in metadata when create vector store

* (#13284) fix lint error

* (#13284) keep metadata None if metadata is None(not empty dict)

* (#13284) add test code

* (#13284) change test code name

* (#13284) add avector_store_search to route_type which doesn't require model
2025-08-06 11:15:17 -07:00
Jugal D. BhattandGitHub b1a8968895 [MCP Gateway] fix auth on ui for bearer servers (#13312)
* fix auth on ui for bearer servers

* add tests and fixes

* fix tests
2025-08-06 09:46:10 -07:00
Ishaan Jaff eeed03a78f test fix: gcp deprecated gemini-1.5-flash 2025-08-06 08:43:45 -07:00
Krish DholakiaandGitHub 0da25fadc0 Exclude none fields on /chat/completion - fixes n8n bug + Allow calling /v1/models when end user over budget (#13320)
* fix(proxy_server.py): exclude none fields before returning

Fixes https://github.com/BerriAI/litellm/issues/13055

* test: add unit tests

* feat(auth_checks.py): allow info routes to work when end user over budget

Fixes https://github.com/BerriAI/litellm/issues/13286
2025-08-05 21:39:46 -07:00
zjx20andGitHub 92c525ddfe feat(JinaAI): support multimodal embedding models (#13181)
* feat(JinaAI): support multimodal embedding models

* add test case

* add test

* fix test
2025-08-05 19:21:56 -07:00
Krish DholakiaandGitHub 324cfe8bdc fix(streaming_handler.py): include cost in streaming usage object (#13319)
Fixes https://github.com/BerriAI/litellm/issues/12689
2025-08-05 18:38:31 -07:00
Jugal D. BhattandGitHub b6fcda2f8a [LLM Translation] Fix model group on clientside auth with API calls (#13314)
* fix unsupported operand type(s) for +=: 'NoneType' and 'str' on clientside auth creds for responses

* fix the client side auth to use correct metadata

* add more tests

* fix tests
2025-08-05 17:46:47 -07:00
Ishaan JaffandGitHub b455ada161 [Bug Fix] [Bug]: New Databricks Foundation Models databricks-gpt-oss-20b and databricks-gpt-oss-120b failed with error: litellm.APIConnectionError: 'signature' (#13318)
* test_transform_choices_without_signature

* fix ChatCompletionThinkingBlock

* extract_reasoning_content
2025-08-05 17:46:40 -07:00
Ishaan JaffandGitHub dab8ba03e3 [Feat] - When using custom tags on prometheus allow using wildcard patterns (#13316)
* _tag_matches_wildcard_configured_pattern

* test_get_custom_labels_from_tags_wildcard_patterns

* docs Custom Tags

* docs how custom tags work

* fix
2025-08-05 17:46:13 -07:00
Ishaan JaffandGitHub 0ccc493455 [Bug]: Fix Mimetype Resolution Error in Bedrock Document Understanding (#13309)
* fix _validate_format for BedrockImageProcessor

* add test

* fix _validate_format for bedrock

* _get_document_format

* test_bedrock_get_document_format_fallback_mimes

* fix: add fallback method for mime type detection
2025-08-05 17:07:10 -07:00
Jugal D. BhattandGitHub 32501c85f5 fix unsupported operand type(s) for +=: 'NoneType' and 'str' on clientside auth creds for responses (#13293) 2025-08-05 13:16:16 -07:00
Jugal D. BhattandGitHub 609fa9f5ca [LLM Translation + Coding tools] Added litellm claude code count tokens support (#13261)
* Added litellm claude code count tokens support

* fix mypy

* create helper

* Revert construct

* revert construct

* fix return

* Add reutrn none

* change to factory approach

* refactor to BaseModelInfo

* enum fix
2025-08-05 10:57:24 -07:00
Jugal D. BhattandGitHub 29a8c583c2 added redis iam auth (#13275) 2025-08-05 10:56:34 -07:00
Ishaan Jaff 5a02eb473b test_function_calling_with_tool_response 2025-08-05 09:55:47 -07:00
Krish DholakiaandGitHub 416da066eb fix(main.py): handle tool being a pydantic object (#13274)
* fix(main.py): handle tool being a pydantic object

Fixes https://github.com/BerriAI/litellm/issues/13064

* fix(prompt_templates/common_utils.py): fix unpack defs deepcopy issue

Fixes https://github.com/BerriAI/litellm/issues/13151

* fix(utils.py): handle tools is none
2025-08-04 23:44:02 -07:00
Krish DholakiaandGitHub eb49f987de Ensure disable_llm_api_endpoints works + Add wildcard model support for 'team-byok' model (#13278)
* fix(route_checks.py): ensure disable llm api endpoints is correctly set

* fix(route_checks.py): raise httpexception

raise expected exceptions

* fix(router.py): handle team only wildcard models

fixes issue where team only wildcard models were not considered during auth checks

* fix(router.py): handle team only wildcard models

fixes issue where team only wildcard models were not considered during auth checks
2025-08-04 23:19:51 -07:00
Jugal D. BhattandGitHub efd34966dc [LLM Translation] Support /v1/models/{model_id} retrieval (#13268)
* added model id endpoint

* fix test

* add route to internal users

* make the functions reusable

* fixed mypy
2025-08-04 18:03:59 -07:00
Jugal D. BhattandGitHub de7108b5f8 input cost per token higher than 1 test (#13270) 2025-08-04 18:02:03 -07:00
Ishaan JaffandGitHub ba1882fdd5 [Bug Fix] Prometheus - fix for litellm_input_tokens_metric, litellm_output_tokens_metric - Note this updates the metric name (#13271)
* fixes for litellm_tokens_metric

* test_prometheus_token_metrics_with_prometheus_config
2025-08-04 17:22:21 -07:00
Pascal BroandGitHub a17d483c89 Add GCS bucket caching support (#13122) 2025-08-04 16:09:33 -07:00
breno-aumoandGitHub 056b60a9fa Support OCI provider (#13206)
* create OCI required files

* request and response conversion for non-streaming chat

* support tool calling with OCI generic API without streaming

* adaptation of api call for generic and cohere format

* include tool calls and responses in generic api and dropping support for cohere

* fix invalid content-length error

* support streaming for generic api

* fix auth error when using acompletion with streaming

* refactor: use base_llm_http_handler and include API type definitions

* update types and add type safety in different methods

* fix OCIFunction format

* create custom stream wrapper for decoding OCI stream

* remove unused files

* create unit tests for OCI

* lint the code

* remove manual test

* docs: update the docs to include OCI
2025-08-04 15:59:25 -07:00
Ishaan JaffandGitHub 849f5e0ba0 [Bug Fix] Fix Server root path regression on UI when using "Login" (#13267)
* bug fix serve_login_page

* test_serve_login_page_server_root_path
2025-08-04 15:58:28 -07:00
Ishaan JaffandGitHub f3749709b8 Bug Fix - Responses API raises error with Gemini Tool Calls in input (#13260)
* add _transform_responses_api_function_call_to_chat_completion_message

* test_responses_api_with_tool_calls

* TestFunctionCallTransformation

* fixes for responses API testing google ai studio

* TestGoogleAIStudioResponsesAPITest

* test_responses_api_with_tool_calls

* test_responses_api_with_tool_calls

* test_basic_openai_responses_streaming_delete_endpoint
2025-08-04 12:01:33 -07:00
Ishaan JaffandGitHub dae72003a7 [Bug Fix] OpenAI / Azure Responses API - Add service_tier , safety_identifier supported params (#13258)
* test_aresponses_service_tier_and_safety_identifier

* add service_tier + safety_identifier

* fix get_supported_openai_params

* add safety_identifier + service_tier for responses()
2025-08-04 10:51:53 -07:00
Jugal D. BhattandGitHub 36229dc69f [LLM Translation] Fix Model Usage not having text tokens (#13234)
* fix + test

* remove test comments

* fix mypy

* fix mypy

* fix tests
2025-08-04 21:06:49 +05:30
Krish DholakiaandGitHub 3119064e94 Prompt Management - add prompts on UI (#13240)
* fix(create_key_button.tsx): add prompts on UI

* feat(key_management_endpoints.py): support adding prompt to key via `/key/update`

* fix(key_info_view.tsx): show existing prompts on key in key_info_view.tsx

* fix(key_edit_view.tsx): UX - disable premium feature for non-premium users

prevent accidental clicking

* fix(create_key_button.tsx): disable premium features behind flag, prevent errors

* feat(prompts.tsx): add new ui component to view created prompts

enables viewing prompts created on config

* feat(prompt_info.tsx): add component for viewing the prompt information

* feat(prompt_endpoints.py): support converting dotprompt to json structure + accept json structure in promptmanager

allows prompt manager to work with api endpoints

* test(test_prompt_manager.py): add unit tests for json data input

* feat(dotprompt/__init__.py): add prompt data to dotpromptmanager

* fix(prompt_endpoints.py): working crud endpoints for prompt management

* feat(prompts/): support `prompt_file` for dotprompt

allows to precisely point to the prompt file a prompt should use

* feat(proxy/utils.py): resolve prompt id correctly

resolves user sent prompt id with internal prompt id

* feat(schema.prisma): initial pr with db schema for prompt management table

allows post endpoints to work with backend

* feat(prompt_endpoints.py): use db in patch_prompt endpoint

* feat(prompt_endpoints.py): use db for update_prompt endpoint

* feat(prompt_endpoints.py): use db on prompt delete endpoint

* build(schema.prisma): add prompt tale to schema.prisma in litellm-proxy-extras

* build(migration.sql): add new sql migration file

* fix(init_prompts.py): fix init

* feat(prompt_info_view.tsx): show the raw prompt template on ui

allows developer to know the prompt template they'll be calling

* feat(add_prompt_form.tsx): working ui add prompt flow

allows user to add prompts to litellm via ui

* build(ui/): styling fixes

* build(ui/): prompts.tsx

styling improvements

* fix(add_prompt_form.tsx): styling improvements

* build(prompts.tsx): styling improvements

* build(ui/): styling improvements

* build(ui/): fix ui error

* fix: fix ruff check

* docs: document new api params

* test: update tests
2025-08-02 22:33:37 -07:00
Ishaan Jaff 2dd9361cd9 Revert "Revert "Fix SSO Logout | Create Unified Login Page with SSO and Username/Password Options (#12703)""
This reverts commit 5fe37b6f72060add859a22ddda0665cd1635f98f.
2025-08-02 12:25:22 -07:00
Ishaan Jaff af9031ba41 Revert "Fix SSO Logout | Create Unified Login Page with SSO and Username/Password Options (#12703)"
This reverts commit a752d7acc9.
2025-08-02 12:25:22 -07:00
Krish DholakiaandGitHub 342fd2d8b6 Revert "fix: role chaining and session name with webauthentication for aws be…" (#13230)
This reverts commit 0ac093b59e.
2025-08-02 10:11:58 -07:00
Alexander YastrebovandGitHub 825923e7be litellm/proxy: preserve model order of /v1/models and /model_group/info (#13178)
Closes #12644

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
2025-08-02 08:57:38 -07:00
0ac093b59e fix: role chaining and session name with webauthentication for aws bedrock (#13205)
* fix(bedrock): prevent duplicate role assumption in EKS/IRSA environments

Fixes issue where AWS role assumption would fail in EKS/IRSA environments
when trying to assume the same role that's already being used.

The problem occurred when:
1. EKS/IRSA automatically assumes a role (e.g., LitellmRole)
2. LiteLLM tries to assume the same role again, causing AccessDenied errors
3. Different models with different roles would fail due to incorrect role context

Changes:
- Added check in _auth_with_aws_role() to detect if already using target role
- Skip role assumption if current identity matches target role
- Return current credentials instead of attempting duplicate assumption
- Added comprehensive test coverage for the fix

This ensures proper role chaining works in EKS/IRSA environments where:
- Service Account can assume Role A
- Role A can assume Role B for different models/accounts

Resolves the AccessDenied errors reported in bedrock usage scenarios.

* fix(bedrock): simplify role assumption for EKS/IRSA environments

Fixes AWS Bedrock role assumption in EKS/IRSA environments by properly
handling ambient credentials when no explicit credentials are provided.

The issue occurred because commit 197e7efa8f
introduced changes that broke role assumption in EKS/IRSA environments.

Changes:
- Simplified _auth_with_aws_role() to use ambient credentials when no
  explicit AWS credentials are provided (aws_access_key_id and
  aws_secret_access_key are both None)
- This allows web identity tokens in EKS/IRSA to work automatically
  through boto3's credential chain
- Maintains backward compatibility for explicit credential scenarios

Added comprehensive test coverage:
- test_eks_irsa_ambient_credentials_used: Verifies ambient credentials work
- test_explicit_credentials_used_when_provided: Ensures explicit creds still work
- test_partial_credentials_still_use_ambient: Edge case handling
- test_cross_account_role_assumption: Multi-account scenarios
- test_role_assumption_with_custom_session_name: Custom session names
- test_role_assumption_ttl_calculation: TTL calculation verification
- test_role_assumption_error_handling: Error propagation
- test_multiple_role_assumptions_in_sequence: Sequential role assumptions

This fix ensures that in EKS/IRSA environments:
1. Service accounts can assume their initial role via web identity
2. That role can then assume other roles across accounts as configured
3. Different models can use different roles without conflicts

* fix(bedrock): add automatic IRSA detection for EKS environments

- Detect AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN environment variables
- Automatically use web identity token flow when IRSA is detected
- Read web identity token from file and pass to existing auth method
- Add test coverage for IRSA environment detection
- Fixes authentication errors in EKS with IRSA when no explicit credentials provided

* fix(bedrock): skip role assumption when IRSA role matches requested role

- Detect when AWS_ROLE_ARN environment variable matches the requested role
- Skip unnecessary role assumption when already running as the target role
- Use existing env vars authentication method for IRSA credentials
- Add test coverage for same-role IRSA scenario
- Fixes 'not authorized to perform: sts:AssumeRole' errors when trying to assume the same role

* fix(bedrock): use boto3's native IRSA support for cross-account role assumption

- Replace custom web identity token handling with boto3's built-in IRSA support
- boto3 automatically reads AWS_WEB_IDENTITY_TOKEN_FILE and assumes initial role
- Then use standard assume_role for cross-account access
- Update test to mock boto3 STS client instead of internal methods
- Fixes 'OIDC token could not be retrieved from secret manager' error

* fix(bedrock): improve IRSA error handling and add debug logging

- Add debug logging to show current identity and role assumption attempts
- Provide clearer error messages for trust policy issues
- Fix region handling in IRSA flow
- Re-raise exceptions instead of silently falling through
- This helps diagnose cross-account role assumption permission issues

* fix(bedrock): manually assume IRSA role with correct session name for cross-account scenarios

- When doing cross-account role assumption, manually assume the IRSA role first with the desired session name
- This ensures the session name in the assumed role ARN matches what's expected in trust policies
- For same-account scenarios, continue using boto3's automatic IRSA support
- Updated tests to handle the new flow
- This fixes the issue where cross-account trust policies require specific session names

* fix: Fix linting issues in base_aws_llm.py

- Fix f-string without placeholders (F541)
- Refactor _auth_with_aws_role to reduce statements count (PLR0915)
  - Extract _handle_irsa_cross_account helper method
  - Extract _handle_irsa_same_account helper method
  - Extract _extract_credentials_and_ttl helper method

---------

Co-authored-by: openhands <openhands@all-hands.dev>
2025-08-02 08:55:35 -07:00
Sameer KankuteandGitHub 1e33dc50a0 add Perplexity citation annotations support (#13225) 2025-08-02 08:47:35 -07:00