Jump to content

Connect Leeroopedia MCP: Equip your AI agents to search best practices, build plans, verify code, diagnose failures, and look up hyperparameter defaults.

Environment:BerriAI Litellm Provider API Credentials

From Leeroopedia
Knowledge Sources
Domains Infrastructure, Security
Last Updated 2026-02-15 16:00 GMT

Overview

API credentials and secret management environment for LLM provider access, supporting 100+ providers via environment variables or external secret managers (AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, Azure Key Vault, CyberArk).

Description

This environment defines the credential requirements for accessing LLM providers through LiteLLM. Credentials can be set as environment variables, stored in external secret managers, or passed dynamically via the API. The system supports a special prefix syntax (`os.environ/KEY_NAME`) in YAML configuration files to resolve credentials at runtime. Multiple secret manager backends are available for enterprise deployments.

Usage

Use this environment whenever making LLM API calls through LiteLLM. Every provider requires at least one API key or authentication credential. For proxy server deployments, credentials are typically managed via YAML config files with environment variable references or external secret managers.

System Requirements

Category Requirement Notes
Network HTTPS access to provider APIs Each provider has its own API endpoint
Security Secure secret storage Never commit secrets to version control

Dependencies

Python Packages (for secret managers)

  • `boto3` >= 1.40.53 (AWS Secrets Manager / KMS)
  • `azure-identity` >= 1.15.0 (Azure Key Vault)
  • `azure-keyvault-secrets` >= 4.8.0 (Azure Key Vault)
  • `google-cloud-kms` >= 2.21.3 (Google Cloud KMS)
  • `cryptography` (OCI authentication)

Credentials

Core LLM Providers:

  • `OPENAI_API_KEY`: OpenAI API key.
  • `ANTHROPIC_API_KEY`: Anthropic (Claude) API key.
  • `AZURE_API_KEY`: Azure OpenAI API key.
  • `AZURE_API_BASE`: Azure OpenAI endpoint URL.
  • `HF_TOKEN` / `HUGGINGFACE_API_KEY`: HuggingFace API token.

Cloud Provider Authentication:

  • `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION_NAME`: For AWS Bedrock/SageMaker.
  • `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`: For Azure AD token auth.
  • `AZURE_CERTIFICATE_PATH`, `AZURE_CERTIFICATE_PASSWORD`: For Azure certificate auth.
  • `GOOGLE_SECRET_MANAGER_PROJECT_ID`: For Google Secret Manager.
  • `GOOGLE_KMS_RESOURCE_NAME`: For Google Cloud KMS decryption.

External Secret Managers:

  • `AZURE_KEY_VAULT_URI`: Azure Key Vault endpoint.
  • `HCP_VAULT_ADDR`, `HCP_VAULT_TOKEN`, `HCP_VAULT_NAMESPACE`: HashiCorp Vault connection.
  • `HCP_VAULT_APPROLE_ROLE_ID`, `HCP_VAULT_APPROLE_SECRET_ID`: Vault AppRole auth.
  • `CYBERARK_API_BASE`, `CYBERARK_ACCOUNT`, `CYBERARK_USERNAME`, `CYBERARK_API_KEY`: CyberArk Conjur.
  • `LITELLM_SECRET_AWS_KMS_LITELLM_LICENSE`: AWS KMS encrypted license key.

OIDC Federation:

  • `CIRCLE_OIDC_TOKEN` / `CIRCLE_OIDC_TOKEN_V2`: CircleCI OIDC tokens.
  • `ACTIONS_ID_TOKEN_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_TOKEN`: GitHub Actions OIDC.
  • `AZURE_FEDERATED_TOKEN_FILE`: Azure federated identity.

Quick Install

# Basic setup with environment variables
export OPENAI_API_KEY="sk-..."
export ANTHROPIC_API_KEY="sk-ant-..."

# For AWS Bedrock
export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_REGION_NAME="us-east-1"

# For secret manager integration
pip install litellm boto3 azure-keyvault-secrets

Code Evidence

API key retrieval from `litellm/main.py:2693`: 

api_key = (
    api_key
    or litellm.anthropic_key
    or os.environ.get("ANTHROPIC_API_KEY")
)

Dynamic env var resolution from `litellm/_redis.py:203-208`: 

### check if "os.environ/<key-name>" passed in
for k, v in env_overrides.items():
    if isinstance(v, str) and v.startswith("os.environ/"):
        v = v.replace("os.environ/", "")
        value = get_secret(v)
        env_overrides[k] = value

Secret manager dispatcher from `litellm/secret_managers/main.py:202-254`: 

# Tries: custom secret manager -> AWS SSM -> Azure Key Vault -> Google KMS -> os.getenv()
secret_value = os.getenv(secret_name)

Common Errors

Error Message Cause Solution
`AuthenticationError: Invalid API key` Wrong or expired API key Verify the API key is correct and active
`Missing boto3 to call bedrock. Run 'pip install boto3'.` boto3 not installed `pip install boto3`
`cryptography package is required for OCI authentication` cryptography not installed `pip install cryptography`
`ValueError: api_key must be provided` No API key found in env or params Set the appropriate `*_API_KEY` environment variable

Compatibility Notes

  • os.environ/ Prefix: YAML config values like `"os.environ/OPENAI_API_KEY"` are resolved at runtime. This allows secrets to stay in environment variables rather than config files.
  • Secret Manager Priority: Custom secret manager -> AWS -> Azure -> Google -> environment variable.
  • OIDC Support: CircleCI and GitHub Actions OIDC tokens are supported for cloud provider authentication without long-lived credentials.

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Environment:BerriAI_Litellm_Provider_API_Credentials&oldid=27696"