fix auth checks for provider routes

litellm/proxy/auth/auth_utils.py

@@ -227,3 +227,24 @@ def get_key_model_tpm_limit(user_api_key_dict: UserAPIKeyAuth) -> Optional[dict]
             return user_api_key_dict.metadata["model_tpm_limit"]
 
     return None
+
+
+def is_pass_through_provider_route(route: str) -> bool:
+    PROVIDER_SPECIFIC_PASS_THROUGH_ROUTES = [
+        "vertex-ai",
+    ]
+
+    # check if any of the prefixes are in the route
+    for prefix in PROVIDER_SPECIFIC_PASS_THROUGH_ROUTES:
+        if prefix in route:
+            return True
+
+    return False
+
+
+def should_run_auth_on_pass_through_provider_route(route: str) -> bool:
+    """
+    Use this to decide if the rest of the LiteLLM Virtual Key auth checks should run on /vertex-ai/{endpoint} routes
+    """
+    # by default we do not run virtual key auth checks on /vertex-ai/{endpoint} routes
+    return False

litellm/proxy/auth/user_api_key_auth.py

@@ -61,7 +61,9 @@ from litellm.proxy.auth.auth_utils import (
     check_if_request_size_is_safe,
     get_request_route,
     is_llm_api_route,
+    is_pass_through_provider_route,
     route_in_additonal_public_routes,
+    should_run_auth_on_pass_through_provider_route,
 )
 from litellm.proxy.auth.oauth2_check import check_oauth2_token
 from litellm.proxy.auth.oauth2_proxy_hook import handle_oauth2_proxy_request
@@ -204,7 +206,11 @@ async def user_api_key_auth(
         ):
             # check if public endpoint
             return UserAPIKeyAuth(user_role=LitellmUserRoles.INTERNAL_USER_VIEW_ONLY)
-
+        elif is_pass_through_provider_route(route=route):
+            if should_run_auth_on_pass_through_provider_route(route=route) is False:
+                return UserAPIKeyAuth(
+                    user_role=LitellmUserRoles.INTERNAL_USER_VIEW_ONLY
+                )
         if general_settings.get("enable_oauth2_auth", False) is True:
             # return UserAPIKeyAuth object
             # helper to check if the api_key is a valid oauth2 token