-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial OIDC support (Google/GitHub/CircleCI -> Amazon Bedrock & Azure OpenAI) #3507
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
@@ -2089,6 +2090,10 @@ def set_client(self, model: dict): | |||
raise ValueError( | |||
f"api_base is required for Azure OpenAI. Set it on your config. Model - {model}" | |||
) | |||
azure_ad_token = litellm_params.get("azure_ad_token") | |||
if azure_ad_token is not None: | |||
if azure_ad_token.startswith("oidc/"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Manouchehri can we add a simple unit test in test_router.py
to make sure this is always respected?
We've had previous regressions due to untested flows (thinking of cloudflare). Would help to have something for this
print(f"secret_val: {redact_oidc_signature(secret_val)}") | ||
|
||
|
||
@pytest.mark.skipif(os.environ.get('CIRCLE_OIDC_TOKEN_V2') is None, reason="Cannot run without being in a CircleCI Runner") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a way for us to add unit tests that can run on our ci/cd? @Manouchehri
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Circle CI ones should already work automatically!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh - how? we don't have these tokens
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are set by default. That's part of the ODIC magic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh sweet!
Title
Implement OIDC for Azure OpenAI and Amazon Bedrock requests.
Currently, this supports using OIDC from:
And this supports using the auth token for:
Relevant issues
Resolves #3505 and #3401.
Type
🆕 New Feature
🐛 Bug Fix
💻 Development Environment
🚄 Infrastructure
Changes
This allows using OIDC with Azure OpenAI.
Testing
You must set the following two env vars:
And see #3499 for the AWS IAM info.
Notes
Docs will be in a later PR.
Pre-Submission Checklist (optional but appreciated):
OS Tests (optional but appreciated):