[Feature]: Support azure workload identities to create azure ad tokens on proxy #1852
Comments
|
Sample code: from fastapi import FastAPI
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from azure.core.exceptions import HttpResponseError
app = FastAPI()
# Function to get a secret from Azure Key Vault
def get_secret(secret_name):
credential = DefaultAzureCredential()
keyvault_name = "<your-keyvault-name>"
keyvault_uri = f"https://{keyvault_name}.vault.azure.net"
client = SecretClient(vault_url=keyvault_uri, credential=credential)
try:
secret = client.get_secret(secret_name)
return secret.value
except HttpResponseError:
return None
# Example route to demonstrate obtaining an Azure AD token
@app.get("/get_token")
async def get_token():
tenant_id = get_secret("AzureAd-TenantId-SecretName")
client_id = get_secret("AzureAd-ClientId-SecretName")
credential = DefaultAzureCredential()
token = credential.get_token("https://graph.microsoft.com/.default")
return {"access_token": token.token}
if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="0.0.0.0", port=8000) |
|
Some more inspiration: from azure.identity import DefaultAzureCredential
import time
class AzureTokenManager:
def __init__(self, scopes):
self.scopes = scopes
self.credential = DefaultAzureCredential()
self.token = None
self.expires_on = 0
def get_token(self, force_refresh=False):
current_time = time.time()
# Refresh the token if force_refresh is True or the token is expiring within 720 seconds
if force_refresh or self.token is None or current_time > self.expires_on - 720:
result = self.credential.get_token(self.scopes)
self.token = result.token
self.expires_on = result.expires_on
return self.token
# Usage
scopes = "https://cognitiveservices.azure.com/.default"
token_manager = AzureTokenManager(scopes)
token = token_manager.get_token()
token = token_manager.get_token(force_refresh=True) |
|
Even more inspiration, AzureOpenAI python client actually had this feature built in, example here : https://github.com/LazaUK/AOAI-EntraIDAuth-SDKv1#scenario-3-authenticating-with-entra-id---service-principal |
|
Do we have any updates on this feature? Like support azure_ad_token_provider in litellm proxy? |
|
@RyoYang we already support azure ad token on litellm proxy? |
|
See #3505, I think that’s what you want? |
|
@Manouchehri Thank you for the quick response. From my perspective, this PR indeed supports OIDC authentication for Google, GitHub, and CircleCI but not Azure workload identities. Could you please provide a quick example of how to configure an Azure workload identity case if I misunderstood? My ideal scenario is to use the Litellm proxy when using the OpenAI SDK, similar to Scenario 4 in this URL |
|
Where/what are you running LiteLLM's proxy in? |
|
Oh. I am running LiteLLM's Proxy in AKS as model proxy, and other pods will use openai SDK to chat with endpoints by using litellm proxy service address. |
|
Ah, so all we're missing is fetching an OIDC token I think. We would need to add it to: Lines 10030 to 10097 in a6a84e5 Right now, the config for using OIDC with Google Cloud Run is like: model_list:
- model_name: gpt-4-0125-preview
litellm_params:
model: azure/gpt-4-0125-preview
api_version: "2024-05-01-preview"
azure_ad_token: "oidc/google/https://litellm.example.com"
api_base: "https://example.openai.azure.com"
model_info:
base_model: azure/gpt-4-0125-previewInstead of |
|
Hi, i suggest to use official AzureOpenAI python client as it actually had this feature built in (token retrieve and use, via the azure_ad_token_provider parameter), example use here : https://github.com/LazaUK/AOAI-EntraIDAuth-SDKv1#scenario-3-authenticating-with-entra-id---service-principal and https://github.com/LazaUK/AOAI-EntraIDAuth-SDKv1?tab=readme-ov-file#scenario-4-authenticating-with-entra-id---managed-identity |
|
Eh, using the official python client like that will make us lose out on being able to authenticate AKS -> Amazon Bedrock I think. It'd also lose out on being able to cache creds. |
Yea! Exactly! Does the oidc URL will be the oidc issuer from (az aks show --name myAKScluster --resource-group myResourceGroup --query "oidcIssuerProfile.issuerUrl" -o tsv)? |
|
I don't need the issuer URL atm, right now I'm trying to figure out how we can get the OIDC token without resorting to the Python SDK if possible. |
|
Ah, looks like it might be |
|
@RyoYang or @olad32: Could you share For e.g. if you have: Please only shared with me: |
The Feature
"we use Azure Active Directory Tokens. Those tokens are defined per deployment and are only valid for a certain amount of time. We cannot add the azure_ad_token flag in the config, as the token would expire after a couple of hours."
Motivation, pitch
User trying to use proxy to call multiple llm's in openai format (in projects in diff languages)
Twitter / LinkedIn details
No response
The text was updated successfully, but these errors were encountered: