iam policy fix

[shivamrawat1]

Relevant issues

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

• I have Added testing in the tests/test_litellm/ directory, Adding at least 1 test is a hard requirement - see details
• My PR passes all unit tests on make test-unit
• My PR's scope is as isolated as possible, it only solves 1 specific problem
• I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

Delays in PR merge?

If you're seeing a delay in your PR being merged, ping the LiteLLM Team on Slack (#pr-review).

CI (LiteLLM team)

CI status guideline:

• 50-55 passing tests: main is stable with minor issues.
• 45-49 passing tests: acceptable but needs attention
• <= 40 passing tests: unstable; be careful with your merges and assess the risk.

• Branch creation CI run
  Link:

• CI run for the last commit
  Link:

• Merge / cherry-pick CI run
  Links:

Type

🆕 New Feature
🐛 Bug Fix
🧹 Refactoring
📖 Documentation
🚄 Infrastructure
✅ Test

Changes

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Mar 22, 2026 0:48am

[codspeed-hq]

Merging this PR will not alter performance

✅ 16 untouched benchmarks

---

_{Comparing fix_oidc_guardrail (1ee2ea9) with main (e3d4c29)}

[greptile-apps]

Greptile Summary

This PR modifies the hardcoded inline session policy passed to AssumeRoleWithWebIdentity in the Bedrock OIDC authentication path, adding three Bedrock Guardrail actions (bedrock:ApplyGuardrail, bedrock:GetGuardrail, bedrock:ListGuardrails) and silently removing the aws:UserAgent condition that previously restricted temporary credential usage to litellm/* user-agents.

Key changes:

• bedrock:ApplyGuardrail, bedrock:GetGuardrail, and bedrock:ListGuardrails added to the allowed actions in the STS inline session policy — this is necessary for Guardrail functionality to work with OIDC-based auth.
• "StringLike":{"aws:UserAgent":"litellm/*"} condition removed without explanation — this weakens the scoping of the temporary credentials and no rationale is provided in the PR description or code comments.
• No tests are added, despite this being an explicit hard requirement in the repository's pre-submission checklist and review rules.
• The PR description does not reference or link to any issue, making it impossible to verify what problem this change is intended to fix.

Confidence Score: 2/5

• Not safe to merge as-is — the removal of the UserAgent condition is undocumented and potentially a security regression, and no tests are included for a security-sensitive change.
• The guardrail action additions appear correct and intentional, but the silent removal of the aws:UserAgent condition is unexplained and weakens the scope of temporary credentials. The PR also lacks any tests, violating an explicit repository requirement. Without a justification for the condition removal and at least one test, this change carries meaningful security and quality risk.
• litellm/llms/bedrock/base_aws_llm.py — specifically the modified Policy JSON string at line 703.

Important Files Changed

Filename	Overview
litellm/llms/bedrock/base_aws_llm.py	Single-line change to the AWS STS AssumeRoleWithWebIdentity inline session policy: adds 3 Bedrock guardrail actions and silently removes the aws:UserAgent condition — the removal is undocumented and weakens the credential scope; no tests are included.

Sequence Diagram

sequenceDiagram
    participant LiteLLM
    participant STS as AWS STS
    participant Bedrock as AWS Bedrock

    LiteLLM->>STS: AssumeRoleWithWebIdentity(RoleArn, WebIdentityToken, Policy)
    Note over STS: Inline session policy now allows:<br/>bedrock:InvokeModel<br/>bedrock:InvokeModelWithResponseStream<br/>bedrock:ApplyGuardrail (NEW)<br/>bedrock:GetGuardrail (NEW)<br/>bedrock:ListGuardrails (NEW)<br/>Condition: aws:SecureTransport=true<br/>(UserAgent restriction REMOVED)
    STS-->>LiteLLM: Temporary Credentials (AccessKeyId, SecretKey, SessionToken)
    LiteLLM->>Bedrock: bedrock:InvokeModel / bedrock:InvokeModelWithResponseStream
    LiteLLM->>Bedrock: bedrock:ApplyGuardrail / bedrock:GetGuardrail / bedrock:ListGuardrails

Loading

_{Last reviewed commit: "iam policy fix"}

[greptile-apps]

UserAgent condition silently removed

The original policy included "StringLike":{"aws:UserAgent":"litellm/*"} as an additional session-policy guard, ensuring the scoped temporary credentials could only be exercised by requests that identify themselves as litellm/*. This PR removes that restriction without any explanation.

Even though user-agent values can be spoofed, the removal still weakens the security posture of the session policy by allowing any caller (e.g. AWS CLI, other SDKs, scripts) to make bedrock:Invoke* and guardrail calls with these temporary credentials. If the motivation was that guardrail SDK calls fail the user-agent check, the fix should be to also match the guardrail SDK's user-agent (e.g. "StringLike":{"aws:UserAgent":["litellm/*","boto3/*"]}) rather than dropping the condition entirely.

Could you confirm whether removing this condition is intentional and, if so, document the reason here?

[greptile-apps]

No tests added for this fix

The pre-submission checklist and repository policy (rule 47800116) explicitly require at least one test to be included with any bug fix. This PR makes a security-sensitive change to an IAM inline session policy — the scope of affected actions and conditions — but contains no tests verifying:

• That the new guardrail actions (bedrock:ApplyGuardrail, bedrock:GetGuardrail, bedrock:ListGuardrails) are present in the generated policy.
• That the "Bool":{"aws:SecureTransport":"true"} condition is preserved.
• That the policy JSON remains syntactically valid and within the AWS packed-policy size limit.

Please add at least one unit test (mocked) under tests/test_litellm/ that validates the shape of the assume_role_params["Policy"] produced by this code path.

Rule Used: What: Ensure that any PR claiming to fix an issue ... (source)