mirror of
https://github.com/tiennm99/litellm.git
synced 2026-07-10 11:03:42 +00:00
5e34fdce77
* feat(vertex_ai): support explicit AWS credentials for WIF auth The current Vertex AI AWS Workload Identity Federation implementation exclusively uses google.auth.aws.Credentials.from_info(), which requires EC2 instance metadata access to obtain AWS credentials. In environments where the metadata service is blocked for security reasons, this makes WIF unusable. Add support for explicit AWS credentials by implementing a custom AwsSecurityCredentialsSupplier (google-auth >= 2.29.0). When aws_* keys (e.g. aws_role_name, aws_region_name) are present in the WIF credential JSON, LiteLLM uses BaseAWSLLM.get_credentials() to obtain AWS creds via STS AssumeRole (or any other supported AWS auth flow), wraps them in the custom supplier, and passes them to aws.Credentials() — bypassing the metadata service entirely. When no aws_* keys are present, the existing from_info() flow is used unchanged, preserving full backward compatibility. * refactor(vertex_ai): extract AWS WIF auth to own class + add docs Address PR review feedback: - Move _AWS_CREDENTIAL_KEYS, _extract_aws_params(), and _credentials_from_aws_with_explicit_auth() from VertexBase into new VertexAIAwsWifAuth class in vertex_ai_aws_wif.py - Add documentation for explicit AWS credentials WIF auth method in vertex.md (supported params, JSON example, SDK/Proxy tabs) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(vertex_ai): use lazy credentials provider to prevent stale STS tokens --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>