BerriAI · ishaan-jaff · Oct 17, 2025 · Oct 17, 2025 · Oct 17, 2025 · Oct 17, 2025
diff --git a/docs/my-website/docs/providers/vertex.md b/docs/my-website/docs/providers/vertex.md
@@ -1327,95 +1327,6 @@ Here's how to use Vertex AI with the LiteLLM Proxy Server
   </Tabs>
 
 
-## Authentication - vertex_project, vertex_location, etc. 
-
-Set your vertex credentials via:
-- dynamic params
-OR
-- env vars 
-
-
-### **Dynamic Params**
-
-You can set:
-- `vertex_credentials` (str) - can be a json string or filepath to your vertex ai service account.json
-- `vertex_location` (str) - place where vertex model is deployed (us-central1, asia-southeast1, etc.). Some models support the global location, please see [Vertex AI documentation](https://cloud.google.com/vertex-ai/generative-ai/docs/learn/locations#supported_models)
-- `vertex_project` Optional[str] - use if vertex project different from the one in vertex_credentials
-
-as dynamic params for a `litellm.completion` call. 
-
-<Tabs>
-<TabItem value="sdk" label="SDK">
-
-```python
-from litellm import completion
-import json 
-
-## GET CREDENTIALS 
-file_path = 'path/to/vertex_ai_service_account.json'
-
-# Load the JSON file
-with open(file_path, 'r') as file:
-    vertex_credentials = json.load(file)
-
-# Convert to JSON string
-vertex_credentials_json = json.dumps(vertex_credentials)
-
-
-response = completion(
-  model="vertex_ai/gemini-2.5-pro",
-  messages=[{"content": "You are a good bot.","role": "system"}, {"content": "Hello, how are you?","role": "user"}], 
-  vertex_credentials=vertex_credentials_json,
-  vertex_project="my-special-project", 
-  vertex_location="my-special-location"
-)
-```
-
-</TabItem>
-<TabItem value="proxy" label="PROXY">
-
-```yaml
-model_list:
-    - model_name: gemini-1.5-pro
-      litellm_params:
-        model: gemini-1.5-pro
-        vertex_credentials: os.environ/VERTEX_FILE_PATH_ENV_VAR # os.environ["VERTEX_FILE_PATH_ENV_VAR"] = "/path/to/service_account.json" 
-        vertex_project: "my-special-project"
-        vertex_location: "my-special-location:
-```
-
-</TabItem>
-</Tabs>
-
-
-
-
-### **Environment Variables**
-
-You can set:
-- `GOOGLE_APPLICATION_CREDENTIALS` - store the filepath for your service_account.json in here (used by vertex sdk directly).
-- VERTEXAI_LOCATION - place where vertex model is deployed (us-central1, asia-southeast1, etc.)
-- VERTEXAI_PROJECT - Optional[str] - use if vertex project different from the one in vertex_credentials
-
-1. GOOGLE_APPLICATION_CREDENTIALS
-
-```bash
-export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service_account.json"
-```
-
-2. VERTEXAI_LOCATION
-
-```bash
-export VERTEXAI_LOCATION="us-central1" # can be any vertex location
-```
-
-3. VERTEXAI_PROJECT
-
-```bash
-export VERTEXAI_PROJECT="my-test-project" # ONLY use if model project is different from service account project
-```
-
-
 ## Specifying Safety Settings 
 In certain use-cases you may need to make calls to the models and pass [safety settings](https://ai.google.dev/docs/safety_setting_gemini) different from the defaults. To do so, simple pass the `safety_settings` argument to `completion` or `acompletion`. For example:
 

diff --git a/docs/my-website/docs/providers/vertex_auth.md b/docs/my-website/docs/providers/vertex_auth.md
@@ -0,0 +1,155 @@
+import Image from '@theme/IdealImage';
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+# Vertex AI Authentication
+
+Set your vertex credentials via:
+- dynamic params
+OR
+- env vars 
+
+
+### **Dynamic Params**
+
+You can set:
+- `vertex_credentials` (str) - can be a json string or filepath to your vertex ai service account.json
+- `vertex_location` (str) - place where vertex model is deployed (us-central1, asia-southeast1, etc.). Some models support the global location, please see [Vertex AI documentation](https://cloud.google.com/vertex-ai/generative-ai/docs/learn/locations#supported_models)
+- `vertex_project` Optional[str] - use if vertex project different from the one in vertex_credentials
+
+as dynamic params for a `litellm.completion` call. 
+
+<Tabs>
+<TabItem value="sdk" label="SDK">
+
+```python
+from litellm import completion
+import json 
+
+## GET CREDENTIALS 
+file_path = 'path/to/vertex_ai_service_account.json'
+
+# Load the JSON file
+with open(file_path, 'r') as file:
+    vertex_credentials = json.load(file)
+
+# Convert to JSON string
+vertex_credentials_json = json.dumps(vertex_credentials)
+
+
+response = completion(
+  model="vertex_ai/gemini-2.5-pro",
+  messages=[{"content": "You are a good bot.","role": "system"}, {"content": "Hello, how are you?","role": "user"}], 
+  vertex_credentials=vertex_credentials_json,
+  vertex_project="my-special-project", 
+  vertex_location="my-special-location"
+)
+```
+
+</TabItem>
+<TabItem value="proxy" label="PROXY">
+
+```yaml
+model_list:
+    - model_name: gemini-1.5-pro
+      litellm_params:
+        model: gemini-1.5-pro
+        vertex_credentials: os.environ/VERTEX_FILE_PATH_ENV_VAR # os.environ["VERTEX_FILE_PATH_ENV_VAR"] = "/path/to/service_account.json" 
+        vertex_project: "my-special-project"
+        vertex_location: "my-special-location:
+```
+
+</TabItem>
+</Tabs>
+
+
+
+
+### **Environment Variables**
+
+You can set:
+- `GOOGLE_APPLICATION_CREDENTIALS` - store the filepath for your service_account.json in here (used by vertex sdk directly).
+- VERTEXAI_LOCATION - place where vertex model is deployed (us-central1, asia-southeast1, etc.)
+- VERTEXAI_PROJECT - Optional[str] - use if vertex project different from the one in vertex_credentials
+
+1. GOOGLE_APPLICATION_CREDENTIALS
+
+```bash
+export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service_account.json"
+```
+
+2. VERTEXAI_LOCATION
+
+```bash
+export VERTEXAI_LOCATION="us-central1" # can be any vertex location
+```
+
+3. VERTEXAI_PROJECT
+
+```bash
+export VERTEXAI_PROJECT="my-test-project" # ONLY use if model project is different from service account project
+```
+
+## AWS to GCP Federation (No Metadata Required)
+
+Use AWS credentials to access Vertex AI without EC2 metadata endpoints. Ideal when `http://169.254.169.254` is blocked.
+
+**Quick Setup:**
+
+1. Create a credential file with your AWS auth params:
+
+```json
+{
+  "type": "external_account",
+  "audience": "//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID",
+  "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
+  "token_url": "https://sts.googleapis.com/v1/token",
+  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SA_EMAIL:generateAccessToken",
+  "credential_source": {
+    "environment_id": "aws1"
+  },
+  "aws_role_name": "arn:aws:iam::123456789012:role/MyRole",
+  "aws_region_name": "us-east-1"
+}
+```
+
+2. Use it in your code:
+
+<Tabs>
+<TabItem value="sdk" label="SDK">
+
+```python
+import litellm
+import json
+
+with open('aws_gcp_credentials.json', 'r') as f:
+    credentials = json.load(f)
+
+response = litellm.completion(
+    model="vertex_ai/gemini-pro",
+    messages=[{"role": "user", "content": "Hello!"}],
+    vertex_credentials=credentials,
+    vertex_project="my-gcp-project",
+    vertex_location="us-central1"
+)
+```
+
+</TabItem>
+<TabItem value="proxy" label="Proxy">
+
+```yaml
+model_list:
+  - model_name: gemini-pro
+    litellm_params:
+      model: vertex_ai/gemini-pro
+      vertex_credentials: /path/to/aws_gcp_credentials.json
+      vertex_project: my-gcp-project
+      vertex_location: us-central1
+```
+
+</TabItem>
+</Tabs>
+
+**Supported AWS auth methods:** `aws_role_name`, `aws_profile_name`, `aws_access_key_id`/`aws_secret_access_key`, `aws_web_identity_token`
+
+**Prerequisites:** You need a GCP Workload Identity Pool configured with an AWS provider. [Setup guide](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#aws)
diff --git a/docs/my-website/sidebars.js b/docs/my-website/sidebars.js
@@ -426,6 +426,7 @@ const sidebars = {
           label: "Vertex AI",
           items: [
             "providers/vertex",
+            "providers/vertex_auth",
             "providers/vertex_partner",
             "providers/vertex_self_deployed",
             "providers/vertex_image",

diff --git a/litellm/llms/vertex_ai/aws_credentials_supplier.py b/litellm/llms/vertex_ai/aws_credentials_supplier.py
@@ -0,0 +1,122 @@
+"""
+AWS Credentials Supplier for GCP Workload Identity Federation
+
+This module provides a custom AWS credentials supplier that uses boto3 credentials
+instead of EC2 metadata endpoints, enabling AWS to GCP federation in environments
+where metadata service access is blocked.
+"""
+
+from typing import TYPE_CHECKING, Any, Mapping
+
+if TYPE_CHECKING:
+    from botocore.credentials import Credentials as BotoCredentials
+else:
+    BotoCredentials = Any
+
+
+class Boto3AwsSecurityCredentialsSupplier:
+    """
+    Custom AWS credentials supplier that uses boto3 credentials instead of EC2 metadata endpoints.
+
+    This allows AWS to GCP Workload Identity Federation without relying on the metadata service
+    (http://169.254.169.254). It wraps boto3 credentials obtained via BaseAWSLLM and provides
+    them to Google's aws.Credentials class.
+
+    Example:
+        ```python
+        from litellm.llms.bedrock.base_aws_llm import BaseAWSLLM
+        from google.auth import aws
+
+        # Get AWS credentials using BaseAWSLLM (supports all auth flows)
+        aws_llm = BaseAWSLLM()
+        boto3_creds = aws_llm.get_credentials(
+            aws_role_name="arn:aws:iam::123456789012:role/MyRole",
+            aws_session_name="my-session",
+            aws_region_name="us-east-1"
+        )
+
+        # Create custom supplier
+        supplier = Boto3AwsSecurityCredentialsSupplier(
+            boto3_credentials=boto3_creds,
+            aws_region="us-east-1"
+        )
+
+        # Use with Google's aws.Credentials (bypasses metadata)
+        gcp_credentials = aws.Credentials(
+            audience="//iam.googleapis.com/projects/.../providers/...",
+            subject_token_type="urn:ietf:params:aws:token-type:aws4_request",
+            token_url="https://sts.googleapis.com/v1/token",
+            aws_security_credentials_supplier=supplier,
+            credential_source=None,  # Not using metadata
+        )
+        ```
+    """
+
+    def __init__(
+        self, boto3_credentials: BotoCredentials, aws_region: str = "us-east-1"
+    ) -> None:
+        """
+        Initialize the AWS credentials supplier.
+
+        Args:
+            boto3_credentials: botocore.credentials.Credentials object from boto3/BaseAWSLLM.
+                             This can come from any AWS auth flow (role assumption, profile,
+                             web identity token, explicit credentials, etc.)
+            aws_region: AWS region name. Defaults to "us-east-1"
+        """
+        self._credentials = boto3_credentials
+        self._region = aws_region
+
+    def get_aws_security_credentials(
+        self, context: Any, request: Any
+    ) -> Mapping[str, str]:
+        """
+        Get AWS security credentials from the boto3 credentials object.
+
+        This method is called by Google's aws.Credentials class to obtain AWS credentials
+        for the token exchange process. It extracts the credentials from the boto3
+        Credentials object, handling both frozen and unfrozen credential formats.
+
+        Args:
+            context: Supplier context (unused, required by interface)
+            request: HTTP request object (unused, required by interface)
+
+        Returns:
+            Dict containing:
+                - access_key_id: AWS access key ID
+                - secret_access_key: AWS secret access key
+                - security_token: AWS session token (or empty string if not present)
+        """
+        # Refresh credentials if needed and get frozen credentials
+        # Frozen credentials are immutable snapshots of the current credential values
+        if hasattr(self._credentials, "get_frozen_credentials"):
+            frozen_creds = self._credentials.get_frozen_credentials()
+            return {
+                "access_key_id": frozen_creds.access_key,
+                "secret_access_key": frozen_creds.secret_key,
+                "security_token": frozen_creds.token or "",
+            }
+        else:
+            # Fallback for credentials that don't support get_frozen_credentials
+            return {
+                "access_key_id": self._credentials.access_key,
+                "secret_access_key": self._credentials.secret_key,
+                "security_token": getattr(self._credentials, "token", "") or "",
+            }
+
+    def get_aws_region(self, context: Any, request: Any) -> str:
+        """
+        Get the AWS region for credential verification.
+
+        This method is called by Google's aws.Credentials class to determine which
+        AWS region to use for credential verification requests.
+
+        Args:
+            context: Supplier context (unused, required by interface)
+            request: HTTP request object (unused, required by interface)
+
+        Returns:
+            AWS region name (e.g., "us-east-1", "us-west-2")
+        """
+        return self._region
+