hvddlZddlZddlZddlmZddlmZmZmZmZm Z m Z m Z m Z m Z mZddlZddlmZddlmZddlmZddlmZmZddlmZdd lmZmZer dd lmZdd l m!Z!neZ!eZGd d eZ"Gdde#Z$GddZ%y)N)datetime) TYPE_CHECKINGAnyDictListLiteralOptionalTupleUnioncastget_args) BaseModel)verbose_logger) DualCache) BEDROCK_INVOKE_PROVIDERS_LITERALBEDROCK_MAX_POLICY_SIZE)tracer) get_secretget_secret_str)AWSPreparedRequest Credentialsc2eZdZUeed<eed<eeed<y)Boto3CredentialsInfo credentialsaws_region_nameaws_bedrock_runtime_endpointN)__name__ __module__ __qualname__r__annotations__strr ]/var/www/Befach/backend/env/lib/python3.12/site-packages/litellm/llms/bedrock/base_aws_llm.pyrr#s"*3-/r$rceZdZfdZxZS) AwsAuthErrorc||_||_tjdd|_tj ||j|_t|!|jy)NPOSTz0https://us-west-2.console.aws.amazon.com/bedrock)methodurl) status_coderequest) r,messagehttpxRequestr-Responseresponsesuper__init__)selfr,r. __class__s r%r4zAwsAuthError.__init__*sT& }}Q  ; U   LL r$)rrr r4 __classcell__r6s@r%r'r')s    r$r'ceZdZd3fd ZdeeeefdefdZej d4deedeedeedeed eed eed eed eed eefdZ deedeefdZ e dedee fdZe dedee fdZ d5dedeedeedefdZ d6deefdZejd ed ed edeed eedeeeeff dZejdeedeed ed edeeeeff dZejd edeeeeffdZejdedededeeeeffdZejdededeedeeeeffdZejdeeeeffdZejdefdZ d7deed eeded!eed"deeeff d#Zd!eed"dedefd$Z d6dedeede fd%Z!ej d6d&eded'eed(ed)e"ee#fd*ed+eede$fd,Z% d8d-ed.d*eded/ededeed0ee&d1ee&d+eedeeee#ffd2Z'xZ(S)9 BaseAWSLLMreturncRt|_t| gd|_y)N) aws_access_key_idaws_secret_access_keyaws_session_tokenraws_session_nameaws_profile_name aws_role_nameaws_web_identity_tokenaws_sts_endpointr)r iam_cacher3r4aws_authentication_params)r5r6s r%r4zBaseAWSLLM.__init__7s!"  * &r$credential_argsctj|d}tj|j j S)zP Generate a unique cache key based on the credential arguments. T) sort_keys)jsondumpshashlibsha256encode hexdigest)r5rGcredential_strs r% get_cache_keyzBaseAWSLLM.get_cache_keyGs5 OtD~~n3356@@BBr$r=r>r?rr@rArBrCrDc |||||||||| g } t| D]\} } | r6| jdr%t| } | 't| ts8| | | <>| A|j | }|j tjvsqtj|j | | <| \ }}}}}}}}} tjd||||||||| tjDcic]\}}|jds||}}}|j|}|jj!|}|r|S||||j#||||| \}}n|I|.dt%t'j(j+}|j-||||\}}nf||j/|\}}nO||||j1|||\}}n1||||j3|||\}}n|j5\}}|jj7||| |Scc}}w) z3 Return a boto3.Credentials object z os.environ/zin get credentials aws_access_key_id=%s aws_secret_access_key=%s aws_session_token=%s aws_region_name=%s aws_session_name=%s aws_profile_name=%s aws_role_name=%s aws_web_identity_token=%s aws_sts_endpoint=%saws_)rCrBr@rrDzlitellm-session-)r=r>rBr@)r=r>r?)r=r>r)ttl) enumerate startswithr isinstancer"rFupperosenvirongetenvrdebuglocalsitemsrQrE get_cache_auth_with_web_identity_tokenintrnow timestamp_auth_with_aws_role_auth_with_aws_profile_auth_with_aws_session_token$_auth_with_access_key_and_secret_key_auth_with_env_vars set_cache)r5r=r>r?rr@rArBrCrDparams_to_checkiparam_vkeykvargs cache_key_cached_credentialsr _cache_ttls r%get_credentialszBaseAWSLLM.get_credentialsOs$  !      "  0 "/2HAu))-8&>jS&9)+OA&44Q799;"**,)+399;)?OA&3*   !      "   "  !      " ' ."(!1JAQ\\&5I1JJ&&t, "nn66yA & & # .) ,&*&H&H'=+!1 /!1 'I' #K &'%5c(,,.:R:R:T6U5V#W &*&>&>"3&;+!1 '?' #K )&*&A&ABR&S #K  )%1!-&*&G&G"3&;"3'H' #K  )%1+&*&O&O"3&; /'P' #K '+&>&>&@ #K   KZ HKs 5H8H8modelc t|trd|vry|jd}t|dkry|d}|sy|S#t$rYywxYw)Nzarn:aws:bedrock:)rWr"splitlen Exception)r5rvpartsregions r%_get_aws_region_from_model_arnz)BaseAWSLLM._get_aws_region_from_model_arnsb eS)->e-KKK$E5zA~1XFM  s AAAA A  A  model_pathc|jd}t|dk\r&|d}|ttvrt t|Sy)at Helper function to get the provider from a model path with format: provider/model-name Args: model_path (str): The model path (e.g., 'llama/arn:aws:bedrock:us-east-1:086734376398:imported-model/r4c4kewx2s0n' or 'anthropic/model-name') Returns: Optional[str]: The provider name, or None if no valid provider found /rN)r{r|r rr )rr~providers r%_get_provider_from_model_pathz(BaseAWSLLM._get_provider_from_model_pathsG  % u:?QxH8$DEE Returns `anthropic` 2. model=anthropic.claude-3-5-sonnet-20240620-v1:0 -> Returns `anthropic` 3. model=llama/arn:aws:bedrock:us-east-1:086734376398:imported-model/r4c4kewx2s0n -> Returns `llama` 4. model=us.amazon.nova-pro-v1:0 -> Returns `nova` zinvoke/r.rNnova)rVreplacer{r rr r:r)rv _split_modelrs r%get_bedrock_invoke_providerz&BaseAWSLLM.get_bedrock_invoke_providers   I &MM)R3E{{3'* 8$DE E8,G G;;EB  O U?$%EFu$#OGr$optional_paramsmodel_idc|jdd}|i||j|}n|j|}tdd}||t|tr|}tdd}||t|tr|}|J ddl}t jd5|j}dddj} | r| }|Sd} |S|S#1swY"xYw#t$rd}Y|SwxYw)ar Get the AWS region name from the environment variables. Parameters: optional_params (dict): Optional parameters for the model call model (str): The model name model_id (str): The model ID. This is the ARN of the model, if passed in as a separate param. Returns: str: The AWS region name rNAWS_REGION_NAME AWS_REGIONrboto3.Session() us-west-2) getrrrWr"boto3rtraceSession region_namer}) r5rrvrrlitellm_aws_region_namestandard_aws_region_namersessionconfigured_regions r%_get_aws_region_namezBaseAWSLLM._get_aws_region_name's"*--.?F  "#"&"E"Eh"O"&"E"Ee"L&01BD&I # '+76<"9'1,'E $',87=":  " .\\"34.#mmoG.$+$7$7!$&7O  '2O.. ."- .s0CC +CC CC C'&C'c|Dtdd}|t|tr|}tdd}|t|tr|}|d}|S)a Get the AWS region name for non-llm api calls. LLM API calls check the model arn and end up using that as the region name. For non-llm api calls eg. Guardrails, Vector Stores we just need to check the dynamic param or env vars. Nrrr)rrWr")r5rrrs r%)get_aws_region_name_for_non_llm_api_callsz4BaseAWSLLM.get_aws_region_name_for_non_llm_api_callsash  "&01BD&I #&2z'8#:'1,'E $'3 (#9#;&"-r$ctddl}tjd|d|d||d|d}n|}t|}| t dd t j d 5|jd || } ddd j|||dd} | dd| dd| dd|d} | dtkDrtjd| dt j d5|jdi| } ddd j} | |jfS#1swYxYw#1swY7xYw)z: Authenticate with AWS Web Identity Token rNzIN Web Identity Token: z | Role Name: z | Session Name: z https://sts..amazonaws.comz6OIDC token could not be retrieved from secret manager.i)r.r,boto3.client(sts)sts)r endpoint_urlia{"Version":"2012-10-17","Statement":[{"Sid":"BedrockLiteLLM","Effect":"Allow","Action":["bedrock:InvokeModel","bedrock:InvokeModelWithResponseStream"],"Resource":"*","Condition":{"Bool":{"aws:SecureTransport":"true"},"StringLike":{"aws:UserAgent":"litellm/*"}}}]})RoleArnRoleSessionNameWebIdentityTokenDurationSecondsPolicyr AccessKeyIdSecretAccessKey SessionToken)r=r>r?rPackedPolicySizezKThe policy size is greater than 75% of the allowed size, PackedPolicySize: zboto3.Session(**iam_creds_dict)r#)rrr\rr'rrclientassume_role_with_web_identityrwarningrru&_get_default_ttl_for_boto3_credentials)r5rCrBr@rrDr sts_endpoint oidc_token sts_client sts_responseiam_creds_dictr iam_credss r%r`z(BaseAWSLLM._auth_with_web_identity_tokens %&<%=^M?Zkl|k} ~   #)/):.IL+L 67  P  \\- . +)&J "??!,' ] @ ".m!<]!K%1-%@AR%S!-m!<^!L*   * +.E E  " "]^jk}^~]A \\; < 6#emm5n5G 6++- $EEGGGC  : 6 6sD"%D."D+.D7cfddl}ddlm}tjd5|j d||}dddj ||}|d} || d | d | d  } | d } tj| j} | | z jdz } | | fS#1swYsxYw)z, Authenticate with AWS Role rNrrr)r=r>)rrrrrr access_key secret_keytoken Expiration<) rbotocore.credentialsrrrr assume_rolerrbtzinfo total_seconds)r5r=r>rBr@rrrrsts_credentialsr sts_expiry current_timests_ttls r%rdzBaseAWSLLM._auth_with_aws_roles 4 \\- . "3&;&J "--!3C. '}5!&}5&'89!.1 %\2 ||J$5$56  ,;;=BG##/  s B''B0cddl}tjd5|j|}|j dfcdddS#1swYyxYw)z/ Authenticate with AWS profile rNz,boto3.Session(profile_name=aws_profile_name)) profile_namerrrrru)r5rArrs r%rez!BaseAWSLLM._auth_with_aws_profilesM \\H I 2]]0@]AF))+T1 2 2 2 $AAc,ddlm}||||}|dfS)z5 Authenticate with AWS Session Token rrrN)rr)r5r=r>r?rrs r%rfz'BaseAWSLLM._auth_with_aws_session_tokens' 5!(,# D  r$cddl}tjd5|j|||}dddj }||j fS#1swY+xYw)zA Authenticate with AWS Access Key and Secret Key rNz|boto3.Session(aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=aws_region_name))r=r>r)rrrrrur)r5r=r>rrrrs r%rgz/BaseAWSLLM._auth_with_access_key_and_secret_key sr \\ K  mm"3&;+$G --/ DGGIII  s AA"cddl}tjd5|j}|j }|dfcdddS#1swYyxYw)z= Authenticate with AWS Environment Variables rNrr)r5rrrs r%rhzBaseAWSLLM._auth_with_env_vars$sJ  \\+ , %mmoG!113K$ % % %rcy)zj Get the default TTL for boto3 credentials Returns `3600-60` which is 59 minutes i r#)r5s r%rz1BaseAWSLLM._get_default_ttl_for_boto3_credentials0sr$api_baser endpoint_type)runtimeagentctd}||}n=|t|tr|}n(|rt|tr|}n|j||}|rt|tr|}||fS|t|tr|}||fS|}||fS)NAWS_BEDROCK_RUNTIME_ENDPOINT)rr)rrWr"_select_default_endpoint_url)r5rrrr env_aws_bedrock_runtime_endpointrproxy_endpoint_urls r%get_runtime_endpointzBaseAWSLLM.get_runtime_endpoint9s,66T+U(  #L ) 5* (#; 8L -* ,c3  ///". ///r$c$|dk(rd|dSd|dS)z Select the default endpoint url based on the endpoint type Default endpoint url is https://bedrock-runtime.{aws_region_name}.amazonaws.com rzhttps://bedrock-agent-runtime.rzhttps://bedrock-runtime.r#)r5rrs r%rz'BaseAWSLLM._select_default_endpoint_url_s, G #3O3DNS S-o->nM Mr$c  ddlm}|jdd}|jdd}|jdd}|j ||}|jdd|jd d}|jd d} |jd d} |jd d} |jd d} |jdd} |j ||||| | || |  }t ||| S#t$r tdwxYw)z Get boto3 credentials from optional params Args: optional_params (dict): Optional parameters for the model call Returns: Credentials: Boto3 credentials object rr7Missing boto3 to call bedrock. Run 'pip install boto3'.r>Nr=r?rrBr@rArCrDr r=r>r?rr@rArBrCrD)rrr)rr ImportErrorpoprrur)r5rrvrr>r=r?rrBr@rArCrDrrs r%*_get_boto_credentials_from_optional_paramsz5BaseAWSLLM._get_boto_credentials_from_optional_paramslsM Y 8 !0 3 34KT R+//0CTJ+//0CTJ33OUK-t4'++OTB *../A4H*../A4H!0!4!45Mt!T*../A4H'6':': *D( $$(#7#7/"7/+--'#9-$8 $ $#+)E  = YWX X Ys C66D r extra_headersrdataheadersapi_keycz||}n td}|r ddlm} d||d<| d|||} nL dd lm} ddlm} | |d |} | d|||} | j | |d|vr|d| jd<| j} | S#t$r tdwxYw#t$r tdwxYw) NAWS_BEARER_TOKEN_BEDROCKr AWSRequestrBearer Authorizationr)r*r+rr SigV4Authbedrock) rbotocore.awsrequestrr botocore.authradd_authrprepare)r5rrrrrrraws_bearer_tokenrr-rsigv4preppeds r%get_request_headerszBaseAWSLLM.get_request_headerss  .5 -.HI   : *11A0B'CGO $ r=r?rBr@rArCrD)rrvrr)r)rrJrKrNrrrrrrrrrrurdictrbody)r5rrrrrrvrrrrrrrr>r=r?rBr@rArCrDrrrr-request_headers_dicts r% _sign_requestzBaseAWSLLM._sign_requests$  .5 -.HI  mG&8GN #)01A0B'CGO $DJJ|4;;== = Y / 6 8 !0 3 34KT R+//0CTJ+//0CTJ'++OTB *../A4H*../A4H!0!4!45Mt!T*../A4H33+54 $(#7#7/"7/+--'#9-$8 $ +|_E  %'9EWEG%'9:GL)   w#GOO4  Ow$>4;O4L  1#W\\11c YWX X Ys FF()r;N) NNNNNNNNN)NN)N)r)NNNN))rrr r4rr"r rQrwraprur staticmethodrrrrrrr rrar`rdrerfrgrhrrrrrrr bytesrrboolrr7r8s@r%r:r:6s CT#x}2D-EC#CV[[],0/3+/)-*.*.'+04*.J#C=J (}J$C= J "# J #3- J#3-J }J!) J#3-JJXHSMhsm* 2 3& 2 3H $"& 88}83- 8 8x*.!#<V[[]?H #?H?H ?H "# ?H #3- ?H {HSM) *?H?HBV[[]$$#C=$$ (}$$ $$  $$ {HSM) * $$$$LV[[] 2 # 2 {HSM) * 2 2V[[]!! #! ! {HSM) * !!(V[[]JJ #J"# J {HSM) * JJ0V[[] %U; +E%F % %V[[]@I $03-$0'/sm$0 $0  (: ;< $0 sCx $0L N%g.@&AB NUX N  N=A0 #0 ,4SM0 0 dV[[]"&- -- ~ -  - CJ --#- --l $!%&*!%T245T2T2 T2  T2  T2}T2T2d^T2#T2 tXe_$ %T2r$r:)&rLrJrYrtypingrrrrrr r r r r r/pydanticrlitellm._loggingrlitellm.caching.cachingrlitellm.constantsrr%litellm.litellm_core_utils.dd_tracingrlitellm.secret_managers.mainrrrrrrrr}r'r:r#r$r%r so     +-W8C60K090  9  l 2l 2r$