Spaces:

Shyamnath
/

inferencing-llm

Sleeping

App Files Files Community

inferencing-llm / litellm /secret_managers /hashicorp_secret_manager.py

Shyamnath

Push core package and essential files

469eae6 11 days ago

raw

history blame contribute delete

12 kB

	import os
	from typing import Any, Dict, Optional, Union

	import httpx

	import litellm
	from litellm._logging import verbose_logger
	from litellm.caching import InMemoryCache
	from litellm.constants import SECRET_MANAGER_REFRESH_INTERVAL
	from litellm.llms.custom_httpx.http_handler import (
	_get_httpx_client,
	get_async_httpx_client,
	httpxSpecialProvider,
	)
	from litellm.proxy._types import KeyManagementSystem

	from .base_secret_manager import BaseSecretManager


	class HashicorpSecretManager(BaseSecretManager):
	def __init__(self):
	from litellm.proxy.proxy_server import CommonProxyErrors, premium_user

	# Vault-specific config
	self.vault_addr = os.getenv("HCP_VAULT_ADDR", "http://127.0.0.1:8200")
	self.vault_token = os.getenv("HCP_VAULT_TOKEN", "")
	# If your KV engine is mounted somewhere other than "secret", adjust here:
	self.vault_namespace = os.getenv("HCP_VAULT_NAMESPACE", None)

	# Optional config for TLS cert auth
	self.tls_cert_path = os.getenv("HCP_VAULT_CLIENT_CERT", "")
	self.tls_key_path = os.getenv("HCP_VAULT_CLIENT_KEY", "")
	self.vault_cert_role = os.getenv("HCP_VAULT_CERT_ROLE", None)

	# Validate environment
	if not self.vault_token:
	raise ValueError(
	"Missing Vault token. Please set HCP_VAULT_TOKEN in your environment."
	)

	litellm.secret_manager_client = self
	litellm._key_management_system = KeyManagementSystem.HASHICORP_VAULT
	_refresh_interval = os.environ.get(
	"HCP_VAULT_REFRESH_INTERVAL", SECRET_MANAGER_REFRESH_INTERVAL
	)
	_refresh_interval = (
	int(_refresh_interval)
	if _refresh_interval
	else SECRET_MANAGER_REFRESH_INTERVAL
	)
	self.cache = InMemoryCache(
	default_ttl=_refresh_interval
	) # store in memory for 1 day

	if premium_user is not True:
	raise ValueError(
	f"Hashicorp secret manager is only available for premium users. {CommonProxyErrors.not_premium_user.value}"
	)

	def _auth_via_tls_cert(self) -> str:
	"""
	Ref: https://developer.hashicorp.com/vault/api-docs/auth/cert

	Request:
	```
	curl \
	--request POST \
	--cacert vault-ca.pem \
	--cert cert.pem \
	--key key.pem \
	--header "X-Vault-Namespace: mynamespace/" \
	--data '{"name": "my-cert-role"}' \
	https://127.0.0.1:8200/v1/auth/cert/login
	```

	Response:
	```
	{
	"auth": {
	"client_token": "cf95f87d-f95b-47ff-b1f5-ba7bff850425",
	"policies": ["web", "stage"],
	"lease_duration": 3600,
	"renewable": true
	}
	}
	```
	"""
	verbose_logger.debug("Using TLS cert auth for Hashicorp Vault")
	# Vault endpoint for cert-based login, e.g. '/v1/auth/cert/login'
	login_url = f"{self.vault_addr}/v1/auth/cert/login"

	# Include your Vault namespace in the header if you're using namespaces.
	# E.g. self.vault_namespace = 'mynamespace/'
	# If you only have root namespace, you can omit this header entirely.
	headers = {}
	if hasattr(self, "vault_namespace") and self.vault_namespace:
	headers["X-Vault-Namespace"] = self.vault_namespace
	try:
	# We use the client cert and key for mutual TLS
	client = httpx.Client(cert=(self.tls_cert_path, self.tls_key_path))
	resp = client.post(
	login_url,
	headers=headers,
	json=self._get_tls_cert_auth_body(),
	)
	resp.raise_for_status()
	token = resp.json()["auth"]["client_token"]
	_lease_duration = resp.json()["auth"]["lease_duration"]
	verbose_logger.info("Successfully obtained Vault token via TLS cert auth.")
	self.cache.set_cache(
	key="hcp_vault_token", value=token, ttl=_lease_duration
	)
	return token
	except Exception as e:
	raise RuntimeError(f"Could not authenticate to Vault via TLS cert: {e}")

	def _get_tls_cert_auth_body(self) -> dict:
	return {"name": self.vault_cert_role}

	def get_url(self, secret_name: str) -> str:
	_url = f"{self.vault_addr}/v1/"
	if self.vault_namespace:
	_url += f"{self.vault_namespace}/"
	_url += f"secret/data/{secret_name}"
	return _url

	def _get_request_headers(self) -> dict:
	if self.tls_cert_path and self.tls_key_path:
	return {"X-Vault-Token": self._auth_via_tls_cert()}
	return {"X-Vault-Token": self.vault_token}

	async def async_read_secret(
	self,
	secret_name: str,
	optional_params: Optional[dict] = None,
	timeout: Optional[Union[float, httpx.Timeout]] = None,
	) -> Optional[str]:
	"""
	Reads a secret from Vault KV v2 using an async HTTPX client.
	secret_name is just the path inside the KV mount (e.g., 'myapp/config').
	Returns the entire data dict from data.data, or None on failure.
	"""
	if self.cache.get_cache(secret_name) is not None:
	return self.cache.get_cache(secret_name)
	async_client = get_async_httpx_client(
	llm_provider=httpxSpecialProvider.SecretManager,
	)
	try:
	# For KV v2: /v1/<mount>/data/<path>
	# Example: http://127.0.0.1:8200/v1/secret/data/myapp/config
	_url = self.get_url(secret_name)
	url = _url

	response = await async_client.get(url, headers=self._get_request_headers())
	response.raise_for_status()

	# For KV v2, the secret is in response.json()["data"]["data"]
	json_resp = response.json()
	_value = self._get_secret_value_from_json_response(json_resp)
	self.cache.set_cache(secret_name, _value)
	return _value

	except Exception as e:
	verbose_logger.exception(f"Error reading secret from Hashicorp Vault: {e}")
	return None

	def sync_read_secret(
	self,
	secret_name: str,
	optional_params: Optional[dict] = None,
	timeout: Optional[Union[float, httpx.Timeout]] = None,
	) -> Optional[str]:
	"""
	Reads a secret from Vault KV v2 using a sync HTTPX client.
	secret_name is just the path inside the KV mount (e.g., 'myapp/config').
	Returns the entire data dict from data.data, or None on failure.
	"""
	if self.cache.get_cache(secret_name) is not None:
	return self.cache.get_cache(secret_name)
	sync_client = _get_httpx_client()
	try:
	# For KV v2: /v1/<mount>/data/<path>
	url = self.get_url(secret_name)

	response = sync_client.get(url, headers=self._get_request_headers())
	response.raise_for_status()

	# For KV v2, the secret is in response.json()["data"]["data"]
	json_resp = response.json()
	_value = self._get_secret_value_from_json_response(json_resp)
	self.cache.set_cache(secret_name, _value)
	return _value

	except Exception as e:
	verbose_logger.exception(f"Error reading secret from Hashicorp Vault: {e}")
	return None

	async def async_write_secret(
	self,
	secret_name: str,
	secret_value: str,
	description: Optional[str] = None,
	optional_params: Optional[dict] = None,
	timeout: Optional[Union[float, httpx.Timeout]] = None,
	) -> Dict[str, Any]:
	"""
	Writes a secret to Vault KV v2 using an async HTTPX client.

	Args:
	secret_name: Path inside the KV mount (e.g., 'myapp/config')
	secret_value: Value to store
	description: Optional description for the secret
	optional_params: Additional parameters to include in the secret data
	timeout: Request timeout

	Returns:
	dict: Response containing status and details of the operation
	"""
	async_client = get_async_httpx_client(
	llm_provider=httpxSpecialProvider.SecretManager,
	params={"timeout": timeout},
	)

	try:
	url = self.get_url(secret_name)

	# Prepare the secret data
	data = {"data": {"key": secret_value}}

	if description:
	data["data"]["description"] = description

	response = await async_client.post(
	url=url, headers=self._get_request_headers(), json=data
	)
	response.raise_for_status()
	return response.json()
	except Exception as e:
	verbose_logger.exception(f"Error writing secret to Hashicorp Vault: {e}")
	return {"status": "error", "message": str(e)}

	async def async_rotate_secret(
	self,
	current_secret_name: str,
	new_secret_name: str,
	new_secret_value: str,
	optional_params: Dict \| None = None,
	timeout: float \| httpx.Timeout \| None = None,
	) -> Dict:
	raise NotImplementedError("Hashicorp does not support secret rotation")

	async def async_delete_secret(
	self,
	secret_name: str,
	recovery_window_in_days: Optional[int] = 7,
	optional_params: Optional[dict] = None,
	timeout: Optional[Union[float, httpx.Timeout]] = None,
	) -> dict:
	"""
	Async function to delete a secret from Hashicorp Vault.
	In KV v2, this marks the latest version of the secret as deleted.

	Args:
	secret_name: Name of the secret to delete
	recovery_window_in_days: Not used for Vault (Vault handles this internally)
	optional_params: Additional parameters specific to the secret manager
	timeout: Request timeout

	Returns:
	dict: Response containing status and details of the operation
	"""
	async_client = get_async_httpx_client(
	llm_provider=httpxSpecialProvider.SecretManager,
	params={"timeout": timeout},
	)

	try:
	# For KV v2 delete: /v1/<mount>/data/<path>
	url = self.get_url(secret_name)

	response = await async_client.delete(
	url=url, headers=self._get_request_headers()
	)
	response.raise_for_status()

	# Clear the cache for this secret
	self.cache.delete_cache(secret_name)

	return {
	"status": "success",
	"message": f"Secret {secret_name} deleted successfully",
	}
	except Exception as e:
	verbose_logger.exception(f"Error deleting secret from Hashicorp Vault: {e}")
	return {"status": "error", "message": str(e)}

	def _get_secret_value_from_json_response(
	self, json_resp: Optional[dict]
	) -> Optional[str]:
	"""
	Get the secret value from the JSON response

	Json response from hashicorp vault is of the form:

	{
	"request_id":"036ba77c-018b-31dd-047b-323bcd0cd332",
	"lease_id":"",
	"renewable":false,
	"lease_duration":0,
	"data":
	{"data":
	{"key":"Vault Is The Way"},
	"metadata":{"created_time":"2025-01-01T22:13:50.93942388Z","custom_metadata":null,"deletion_time":"","destroyed":false,"version":1}
	},
	"wrap_info":null,
	"warnings":null,
	"auth":null,
	"mount_type":"kv"
	}

	Note: LiteLLM assumes that all secrets are stored as under the key "key"
	"""
	if json_resp is None:
	return None
	return json_resp.get("data", {}).get("data", {}).get("key", None)