What happened?

I have litellm running on eks, using https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html where I've allowed litellm to assume a role arn:aws:iam::1111111111111:role/LitellmRole which is allowed to use bedrock models via an annotation on the attached kubernetes service account, as well as assuming the role arn:aws:iam::2222222222222:role/LitellmEvalBedrockRole which is also allowed to use bedrock models but in another account

proxy_config:
    model_list: 
      - model_name: "bedrock/*"
        litellm_params:
          model: "bedrock/*"
          aws_region_name: us-east-1
          aws_role_name: arn:aws:iam::1111111111111:role/LitellmRole
      - model_name: "evals-bedrock/*"
        litellm_params:
          model: "bedrock/*"
          aws_region_name: us-east-1
          aws_role_name: arn:aws:iam::2222222222222:role/LitellmEvalBedrockRole 

This setup is so that evals use the rate limits of account 2222222222222 and other usage counts against account 1111111111111

In the langfuse traces, it claims (via aws_role_name on the trace) that the following api call used role arn:aws:iam::2222222222222:role/LitellmEvalBedrockRole but checking the AWS cloudtrail logs, it actually used arn:aws:iam::1111111111111:role/LitellmRole

curl -X POST https://my-api/chat/completions -H "Content-Type: application/json" -H "Authorization: Bearer sk-some-high-entropy-key " -d '{                                                                                                     
    "model": "evals-bedrock/us.anthropic.claude-sonnet-4-20250514-v1:0",
    "messages": [
        {
            "role": "user",
            "content": "Hello there3!"
        }
    ]
}'

Instead, what I expected was for litellm as a proxy to assume that second role, and then use that for doing that bedrock call.

Relevant log output

N/A

Are you a ML Ops Team?

Yes

What LiteLLM version are you on ?

v1.72.2

Twitter / LinkedIn details

No response