Files
vault-plugin-secrets-litellm/path_credentials.go
unkinben ab3b02a48e Add LiteLLM dynamic secrets engine implementation
Populate the repo with the Vault/OpenBao dynamic secrets engine that mints
LiteLLM virtual keys scoped by model, spending limit, and lease TTL.

- Secrets backend: config, roles, creds paths and a revocable litellm_key type
- LiteLLM API client (generate/update/delete/info) with master-key auth
- Unit tests (mock LiteLLM) and a docker-compose e2e against both Vault and
  OpenBao proving the same binary works on each
- Makefile, woodpecker CI (build/test/pre-commit), pre-commit config
2026-07-02 23:22:18 +10:00

136 lines
3.6 KiB
Go

package litellm
import (
"context"
"fmt"
"time"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
func pathCredentials(b *litellmBackend) *framework.Path {
return &framework.Path{
Pattern: "creds/" + framework.GenericNameRegex("name"),
DisplayAttrs: &framework.DisplayAttributes{
OperationPrefix: "litellm",
OperationSuffix: "credentials",
},
Fields: map[string]*framework.FieldSchema{
"name": {
Type: framework.TypeLowerCaseString,
Description: "Name of the role to generate a key for.",
Required: true,
},
},
Operations: map[logical.Operation]framework.OperationHandler{
logical.ReadOperation: &framework.PathOperation{
Callback: b.pathCredentialsRead,
},
logical.UpdateOperation: &framework.PathOperation{
Callback: b.pathCredentialsRead,
},
},
HelpSynopsis: "Generate a LiteLLM virtual key from a role.",
HelpDescription: "Reading from this path generates a new LiteLLM virtual key scoped by the named role's models, budget, and TTL.",
}
}
func (b *litellmBackend) pathCredentialsRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
roleName := data.Get("name").(string)
role, err := b.getRole(ctx, req.Storage, roleName)
if err != nil {
return nil, err
}
if role == nil {
return logical.ErrorResponse("role %q does not exist", roleName), nil
}
return b.createKey(ctx, req, roleName, role)
}
// createKey issues a new LiteLLM virtual key for the given role and wraps it in
// a Vault lease.
func (b *litellmBackend) createKey(ctx context.Context, req *logical.Request, roleName string, role *litellmRole) (*logical.Response, error) {
client, err := b.getClient(ctx, req.Storage)
if err != nil {
return nil, err
}
// Resolve the lease TTL against the role and mount/system limits.
ttl, maxTTL := b.resolveTTLs(role)
suffix, err := uuid.GenerateUUID()
if err != nil {
return nil, fmt.Errorf("generating key alias suffix: %w", err)
}
alias := fmt.Sprintf("%s-%s-%s", role.KeyAliasPrefix, roleName, suffix[:8])
genReq := generateKeyRequest{
Models: role.Models,
KeyAlias: alias,
Metadata: role.Metadata,
}
if role.MaxBudget > 0 {
budget := role.MaxBudget
genReq.MaxBudget = &budget
}
if ttl > 0 {
genReq.Duration = durationToLiteLLM(ttl)
}
key, err := client.GenerateKey(ctx, genReq)
if err != nil {
return nil, fmt.Errorf("generating litellm key: %w", err)
}
internal := map[string]interface{}{
"key": key.Key,
"key_alias": alias,
"role": roleName,
}
external := map[string]interface{}{
"key": key.Key,
"key_alias": alias,
"models": role.Models,
"max_budget": role.MaxBudget,
"role": roleName,
}
resp := b.Secret(litellmKeyType).Response(external, internal)
resp.Secret.TTL = ttl
resp.Secret.MaxTTL = maxTTL
if ttl > 0 {
resp.Secret.Renewable = true
}
return resp, nil
}
// resolveTTLs clamps the role's TTL/MaxTTL against the mount and system limits.
func (b *litellmBackend) resolveTTLs(role *litellmRole) (ttl, maxTTL time.Duration) {
sysMaxTTL := b.System().MaxLeaseTTL()
maxTTL = role.MaxTTL
if maxTTL <= 0 || maxTTL > sysMaxTTL {
maxTTL = sysMaxTTL
}
ttl = role.TTL
if ttl <= 0 {
ttl = b.System().DefaultLeaseTTL()
}
if ttl > maxTTL {
ttl = maxTTL
}
return ttl, maxTTL
}
// durationToLiteLLM converts a Go duration to a LiteLLM duration string. LiteLLM
// accepts an integer with an s/m/h/d suffix; seconds is always representable.
func durationToLiteLLM(d time.Duration) string {
return fmt.Sprintf("%ds", int(d.Seconds()))
}