Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial OIDC support (Google/GitHub/CircleCI -> Amazon Bedrock & Azure OpenAI) #3507

Merged
merged 7 commits into from
May 11, 2024
Merged

Initial OIDC support (Google/GitHub/CircleCI -> Amazon Bedrock & Azure OpenAI) #3507

merged 7 commits into from
May 11, 2024

Conversation

Manouchehri
Copy link
Collaborator

@Manouchehri Manouchehri commented May 7, 2024
edited

Title

Implement OIDC for Azure OpenAI and Amazon Bedrock requests.

Currently, this supports using OIDC from:

  • Google Cloud Run (tested)
  • GitHub Actions (untested but pretty sure it works)
  • Circle CI (untested but should work fine)

And this supports using the auth token for:

  • Amazon Bedrock
  • Azure OpenAI

Relevant issues

Resolves #3505 and #3401.

Type

🆕 New Feature
🐛 Bug Fix
💻 Development Environment
🚄 Infrastructure

Changes

This allows using OIDC with Azure OpenAI.

Testing

model_list:
  - model_name: gpt-4-0125-preview
    litellm_params:
      model: azure/gpt-4-0125-preview
      azure_ad_token: "oidc/google/https://example.com"
      api_version: "2024-03-01-preview"
      api_base: "https://demo-here.openai.azure.com"
    model_info:
      base_model: azure/gpt-4-0125-preview

  - model_name: claude-3-haiku-20240307
    litellm_params:
      model: bedrock/anthropic.claude-3-haiku-20240307-v1:0
      aws_region_name: us-east-1
      aws_session_name: "litellm"
      aws_role_name: "arn:aws:iam::YOUR_THING_HERE:role/litellm-google-demo"
      aws_web_identity_token: "oidc/google/https://example.com"

You must set the following two env vars:

AZURE_CLIENT_ID=asdf
AZURE_TENANT_ID=asdf

And see #3499 for the AWS IAM info.

Notes

Docs will be in a later PR.

Pre-Submission Checklist (optional but appreciated):

  • I have included relevant documentation updates (stored in /docs/my-website)

OS Tests (optional but appreciated):

  • Tested on Windows
  • Tested on MacOS
  • Tested on Linux

@vercel Vercel
Copy link

vercel bot commented May 7, 2024
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
litellm ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 8, 2024 3:48pm

@Manouchehri Manouchehri changed the title Add OIDC support for Azure OpenAI Initial OIDC support (Google/GitHub/CircleCI -> Amazon Bedrock & Azure OpenAI) May 7, 2024
@Manouchehri Manouchehri mentioned this pull request May 7, 2024
Closed
4 tasks
krrishdholakia
krrishdholakia reviewed May 11, 2024
View reviewed changes
litellm/router.py
@@ -2089,6 +2090,10 @@ def set_client(self, model: dict):
raise ValueError(
f"api_base is required for Azure OpenAI. Set it on your config. Model - {model}"
)
azure_ad_token = litellm_params.get("azure_ad_token")
if azure_ad_token is not None:
if azure_ad_token.startswith("oidc/"):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Manouchehri can we add a simple unit test in test_router.py to make sure this is always respected?

We've had previous regressions due to untested flows (thinking of cloudflare). Would help to have something for this

krrishdholakia
krrishdholakia reviewed May 11, 2024
View reviewed changes
litellm/tests/test_secret_manager.py
print(f"secret_val: {redact_oidc_signature(secret_val)}")


@pytest.mark.skipif(os.environ.get('CIRCLE_OIDC_TOKEN_V2') is None, reason="Cannot run without being in a CircleCI Runner")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a way for us to add unit tests that can run on our ci/cd? @Manouchehri

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Circle CI ones should already work automatically!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh - how? we don't have these tokens

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You do! :)

https://app.circleci.com/pipelines/github/BerriAI/litellm/9535/workflows/f221c9b2-008d-47c0-b7cd-507d7e857d6c/jobs/20702?invite=true#step-99-2233_32

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are set by default. That's part of the ODIC magic.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh sweet!

@krrishdholakia krrishdholakia merged commit 4006379 into BerriAI:main May 11, 2024
2 checks passed
@Manouchehri Manouchehri mentioned this pull request May 11, 2024
Closed
@Manouchehri Manouchehri mentioned this pull request May 27, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krrishdholakia krrishdholakia krrishdholakia left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Feature]: Upstream OIDC for Azure OpenAI
2 participants
@Manouchehri @krrishdholakia