Skip to content

Allow passed in vertex_ai credentials to be authorized_user type #10899

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
May 19, 2025
Merged

Allow passed in vertex_ai credentials to be authorized_user type #10899

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b2880fe
Allow passed in vertex_ai credentials to be authorized_user type
pselden May 16, 2025
3323929
Fix comment in test
pselden May 16, 2025
0a2206d
Merge remote-tracking branch 'upstream/main' into vertex-ai-authorize…
pselden May 18, 2025
f1449db
Move auth methods to helpers so they can be mocked in tests
pselden May 18, 2025
9a45d0e
Merge remote-tracking branch 'upstream/main' into vertex-ai-authorize…
pselden May 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions litellm/llms/vertex_ai/vertex_llm_base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,11 @@ def load_auth(
) -> Tuple[Any, str]:
import google.auth as google_auth
from google.auth import identity_pool
from google.auth.transport.requests import (
Request, # type: ignore[import-untyped]
)

if credentials is not None:
import google.oauth2.service_account

import google.oauth2.credentials as google_oauth_credentials

if isinstance(credentials, str):
verbose_logger.debug(
"Vertex: Loading vertex credentials from %s", credentials
Expand Down Expand Up @@ -81,6 +79,14 @@ def load_auth(
# Check if the JSON object contains Workload Identity Federation configuration
if "type" in json_obj and json_obj["type"] == "external_account":
creds = identity_pool.Credentials.from_info(json_obj)
# Check if the JSON object contains Authorized User configuration (via gcloud auth application-default login)
elif "type" in json_obj and json_obj["type"] == "authorized_user":
creds = google_oauth_credentials.Credentials.from_authorized_user_info(
json_obj,
scopes=["https://www.googleapis.com/auth/cloud-platform"],
)
if project_id is None:
project_id = creds.quota_project_id # authorized user credentials don't have a project_id, only quota_project_id
else:
creds = (
google.oauth2.service_account.Credentials.from_service_account_info(
Expand All @@ -99,7 +105,7 @@ def load_auth(
if project_id is None:
project_id = creds_project_id

creds.refresh(Request()) # type: ignore
self.refresh_auth(creds)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switched to using this so I could mock it out in a test (the current test suite mocks out this entire method, but I want to actually test this thing)


if not project_id:
raise ValueError("Could not resolve project_id")
Expand Down
50 changes: 50 additions & 0 deletions tests/litellm/llms/vertex_ai/test_vertex_llm_base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,3 +174,53 @@ async def test_gemini_credentials(self, is_async):
)
assert token == ""
assert project == ""


@pytest.mark.parametrize("is_async", [True, False], ids=["async", "sync"])
@pytest.mark.asyncio
async def test_authorized_user_credentials(self, is_async):
vertex_base = VertexBase()

credentials = {
"account": "",
"client_id": "fake-client-id",
"client_secret": "fake-secret",
"quota_project_id": "test-project",
"refresh_token": "fake-refresh-token",
"type": "authorized_user",
"universe_domain": "googleapis.com"
}

with patch.object(vertex_base, "refresh_auth") as mock_refresh:
def mock_refresh_impl(creds):
creds.token = "refreshed-token"

mock_refresh.side_effect = mock_refresh_impl

# 1. Test that authorized_user-style credentials are correctly handled and uses quota_project_id
if is_async:
token, project = await vertex_base._ensure_access_token_async(
credentials=credentials, project_id=None, custom_llm_provider="vertex_ai"
)
else:
token, project = vertex_base._ensure_access_token(
credentials=credentials, project_id=None, custom_llm_provider="vertex_ai"
)


assert token == "refreshed-token"
assert project == "test-project"

# 1. Test that authorized_user-style credentials are correctly handled and uses passed in project_id
if is_async:
token, project = await vertex_base._ensure_access_token_async(
credentials=credentials, project_id="new-project", custom_llm_provider="vertex_ai"
)
else:
token, project = vertex_base._ensure_access_token(
credentials=credentials, project_id="new-project", custom_llm_provider="vertex_ai"
)


assert token == "refreshed-token"
assert project == "new-project"
Loading