3.2 KiB
3.2 KiB
LiteLLM Config Precedence Pitfalls
Master Key Config Override (Jul 2026)
The Problem
LiteLLM reads general_settings.master_key from config.yaml when started with --config /app/config.yaml. This value takes precedence over the LITELLM_MASTER_KEY environment variable. If config.yaml has a stale/stub key, the stub silently becomes the UI login password.
How It Manifests
- Admin UI login at
/v2/loginreturns401 Unauthorized - Error:
"Invalid credentials used to access UI. Check 'UI_USERNAME', 'UI_PASSWORD' in .env file" - Container logs:
ProxyExceptionatlogin_utils.pyline 316 inauthenticate_user() - The
/v1/chat/completionsendpoint may still work normally (API keys are separate from UI password) - User knows the correct master key (e.g., from
.env) but login still fails
Root Cause
In login_utils.py, the authenticate_user() function:
- Calls
get_ui_credentials(master_key)which readsUI_USERNAME(default "admin") andUI_PASSWORD(env var ormaster_keyparameter) - The
master_keyparameter comes from LiteLLM's internal state, which loaded it fromgeneral_settings.master_keyin config.yaml - Compares the login form password against this config-file-derived key using
secrets.compare_digest() - If the comparison fails and no database user matches, throws the 401 error
Detection Workflow
# 1. Check container logs for login failures
docker logs litellm --tail 50 2>&1 | grep -A 5 'login_v2\|401 Unauthorized'
# 2. Compare config sources by hash and length (NOT raw value)
ENV_KEY=$(grep LITELLM_MASTER_KEY .env | cut -d= -f2)
CFG_KEY=$(grep 'master_key:' config.yaml | sed 's/.*master_key: //')
echo "env: len=${#ENV_KEY} sha=$(echo -n "$ENV_KEY" | sha256sum | cut -c1-16)"
echo "cfg: len=${#CFG_KEY} sha=$(echo -n "$CFG_KEY" | sha256sum | cut -c1-16)"
# 3. Verify what the container actually sees
docker exec litellm printenv | grep LITELLM_MASTER_KEY
# 4. If lengths/hashes differ → config.yaml has a stale key
# 5. Fix by removing master_key from config.yaml
sed -i '/^ master_key:/d' config.yaml
docker compose restart litellm
# 6. Verify fix with a direct login test
MASTER_KEY=$(grep LITELLM_MASTER_KEY .env | cut -d= -f2)
curl -s -X POST http://127.0.0.1:4000/v2/login \
-H 'Content-Type: application/json' \
-d "{\"username\":\"admin\",\"password\":\"$MASTER_KEY\"}"
# Expected: {"user_id":"...","key":"sk-...","user_role":"proxy_admin",...}
Why API Still Works While Login Fails
LiteLLM has two separate auth paths:
- API key auth (
/v1/chat/completions): Validates keys stored inLiteLLM_VerificationTokentable, independent of the master_key - UI login (
/v2/login): Compares against the in-memorymaster_keywhich came from config.yaml
This is why a config.yaml with a stale key breaks UI login but leaves API traffic unaffected.
Prevention
- Remove
master_keyfrom config.yaml — rely onLITELLM_MASTER_KEYenv var only - Audit dual-source configs — any service with both config file AND env var for the same setting risks this category of mismatch
- Use hash comparison for credentials — never log or transmit raw secret values; compare by hash to detect mismatches without exposing secrets