Skip to content

Commit 0d285c8

Browse files
krrishdholakiakrrishdholakia
authored
Merge pull request #13919 from stevenmanton/fix-aws-assume-role-with-token
Add support for AWS assume_role with a session token
2 parents a7bb5bc + d955784 commit 0d285c8

File tree

3 files changed

+17
-1
lines changed

3 files changed

+17
-1
lines changed

litellm/llms/bedrock/base_aws_llm.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -202,6 +202,7 @@ def get_credentials(
202202
credentials, _cache_ttl = self._auth_with_aws_role(
203203
aws_access_key_id=aws_access_key_id,
204204
aws_secret_access_key=aws_secret_access_key,
205+
aws_session_token=aws_session_token,
205206
aws_role_name=aws_role_name,
206207
aws_session_name=aws_session_name,
207208
)
@@ -554,6 +555,7 @@ def _auth_with_aws_role(
554555
self,
555556
aws_access_key_id: Optional[str],
556557
aws_secret_access_key: Optional[str],
558+
aws_session_token: Optional[str],
557559
aws_role_name: str,
558560
aws_session_name: str,
559561
) -> Tuple[Credentials, Optional[int]]:
@@ -614,6 +616,7 @@ def _auth_with_aws_role(
614616
"sts",
615617
aws_access_key_id=aws_access_key_id,
616618
aws_secret_access_key=aws_secret_access_key,
619+
aws_session_token=aws_session_token,
617620
)
618621

619622
sts_response = sts_client.assume_role(

tests/llm_translation/test_aws_base_llm.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,7 @@ def test_auth_with_aws_role(mock_boto3_client, base_aws_llm):
8888
credentials, ttl = base_aws_llm._auth_with_aws_role(
8989
aws_access_key_id="test_access",
9090
aws_secret_access_key="test_secret",
91+
aws_session_token="test_token",
9192
aws_role_name="test_role",
9293
aws_session_name="test_session",
9394
)

tests/test_litellm/llms/bedrock/test_base_aws_llm.py

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -576,6 +576,7 @@ def test_eks_irsa_ambient_credentials_used():
576576
credentials, ttl = base_aws_llm._auth_with_aws_role(
577577
aws_access_key_id=None,
578578
aws_secret_access_key=None,
579+
aws_session_token=None,
579580
aws_role_name="arn:aws:iam::2222222222222:role/LitellmEvalBedrockRole",
580581
aws_session_name="test-session"
581582
)
@@ -630,6 +631,7 @@ def test_explicit_credentials_used_when_provided():
630631
credentials, ttl = base_aws_llm._auth_with_aws_role(
631632
aws_access_key_id="explicit-access-key",
632633
aws_secret_access_key="explicit-secret-key",
634+
aws_session_token="assumed-session-token",
633635
aws_role_name="arn:aws:iam::2222222222222:role/LitellmEvalBedrockRole",
634636
aws_session_name="test-session"
635637
)
@@ -639,6 +641,7 @@ def test_explicit_credentials_used_when_provided():
639641
"sts",
640642
aws_access_key_id="explicit-access-key",
641643
aws_secret_access_key="explicit-secret-key",
644+
aws_session_token="assumed-session-token",
642645
)
643646

644647
# Should call assume_role
@@ -687,6 +690,7 @@ def test_partial_credentials_still_use_ambient():
687690
credentials, ttl = base_aws_llm._auth_with_aws_role(
688691
aws_access_key_id="AKIAEXAMPLE",
689692
aws_secret_access_key=None,
693+
aws_session_token=None,
690694
aws_role_name="arn:aws:iam::2222222222222:role/LitellmEvalBedrockRole",
691695
aws_session_name="test-session"
692696
)
@@ -695,7 +699,8 @@ def test_partial_credentials_still_use_ambient():
695699
mock_boto3_client.assert_called_once_with(
696700
"sts",
697701
aws_access_key_id="AKIAEXAMPLE",
698-
aws_secret_access_key=None
702+
aws_secret_access_key=None,
703+
aws_session_token=None,
699704
)
700705

701706
# Should still call assume_role
@@ -737,6 +742,7 @@ def test_cross_account_role_assumption():
737742
credentials, ttl = base_aws_llm._auth_with_aws_role(
738743
aws_access_key_id=None,
739744
aws_secret_access_key=None,
745+
aws_session_token=None,
740746
aws_role_name="arn:aws:iam::999999999999:role/CrossAccountRole",
741747
aws_session_name="cross-account-session"
742748
)
@@ -789,6 +795,7 @@ def test_role_assumption_with_custom_session_name():
789795
credentials, ttl = base_aws_llm._auth_with_aws_role(
790796
aws_access_key_id=None,
791797
aws_secret_access_key=None,
798+
aws_session_token=None,
792799
aws_role_name="arn:aws:iam::1111111111111:role/LitellmRole",
793800
aws_session_name="evals-bedrock-session"
794801
)
@@ -832,6 +839,7 @@ def test_role_assumption_ttl_calculation():
832839
credentials, ttl = base_aws_llm._auth_with_aws_role(
833840
aws_access_key_id=None,
834841
aws_secret_access_key=None,
842+
aws_session_token=None,
835843
aws_role_name="arn:aws:iam::1111111111111:role/LitellmRole",
836844
aws_session_name="ttl-test-session"
837845
)
@@ -858,6 +866,7 @@ def test_role_assumption_error_handling():
858866
base_aws_llm._auth_with_aws_role(
859867
aws_access_key_id=None,
860868
aws_secret_access_key=None,
869+
aws_session_token=None,
861870
aws_role_name="arn:aws:iam::1111111111111:role/UnauthorizedRole",
862871
aws_session_name="error-test-session"
863872
)
@@ -911,6 +920,7 @@ def test_multiple_role_assumptions_in_sequence():
911920
credentials1, ttl1 = base_aws_llm._auth_with_aws_role(
912921
aws_access_key_id=None,
913922
aws_secret_access_key=None,
923+
aws_session_token=None,
914924
aws_role_name="arn:aws:iam::1111111111111:role/LitellmRole",
915925
aws_session_name="session-1"
916926
)
@@ -919,6 +929,7 @@ def test_multiple_role_assumptions_in_sequence():
919929
credentials2, ttl2 = base_aws_llm._auth_with_aws_role(
920930
aws_access_key_id=None,
921931
aws_secret_access_key=None,
932+
aws_session_token=None,
922933
aws_role_name="arn:aws:iam::2222222222222:role/LitellmEvalBedrockRole",
923934
aws_session_name="session-2"
924935
)
@@ -980,6 +991,7 @@ def test_auth_with_aws_role_irsa_environment():
980991
creds, ttl = base_llm._auth_with_aws_role(
981992
aws_access_key_id=None,
982993
aws_secret_access_key=None,
994+
aws_session_token=None,
983995
aws_role_name='arn:aws:iam::222222222222:role/target-role',
984996
aws_session_name='test-session'
985997
)

0 commit comments

Comments
 (0)