fix: Add PROXY_ADMIN role to system user for key rotation

[milan-berri]

Fixes key rotation authorization issue for team keys

Pre-Submission checklist

Please complete all items before asking a LiteLLM maintainer to review your PR

• I have Added testing in the tests/litellm/ directory, Adding at least 1 test is a hard requirement - see details
• My PR passes all unit tests on make test-unit
• My PR's scope is as isolated as possible, it only solves 1 specific problem
• Fix has been verified with test script confirming system user has PROXY_ADMIN role
• I have requested a Greptile review by commenting @greptileai and received a Confidence Score of at least 4/5 before requesting a maintainer review

CI (LiteLLM team)

CI status guideline:

• 50-55 passing tests: main is stable with minor issues.
• 45-49 passing tests: acceptable but needs attention
• <= 40 passing tests: unstable; be careful with your merges and assess the risk.

• Branch creation CI run Link:
• CI run for the last commit Link:
• Merge / cherry-pick CI run Links:

Type

🐛 Bug Fix

Changes

Problem

The key rotation worker fails with authorization error when attempting to rotate team keys:

You are not authorized to regenerate this key

Root Cause

The system user created by UserAPIKeyAuth.get_litellm_internal_jobs_user_api_key_auth() was missing the user_role field. Without user_role=PROXY_ADMIN, the system user couldn't bypass team permission checks in can_team_member_execute_key_management_endpoint(), causing authorization failures.

Solution

Added user_role=LitellmUserRoles.PROXY_ADMIN to the system user in litellm/proxy/_types.py. This allows the internal key rotation worker to bypass team permission checks and successfully rotate keys for all teams.

Reproduction Steps

1. Enable key rotation:

   export LITELLM_KEY_ROTATION_ENABLED=true
   export LITELLM_KEY_ROTATION_CHECK_INTERVAL_SECONDS=60

2. Create a team key with auto-rotation:

   curl -X POST http://localhost:4000/key/generate \
     -H "Authorization: Bearer sk-1234" \
     -H "Content-Type: application/json" \
     -d '{
       "team_id": "team-123",
       "auto_rotate": true,
       "rotation_interval": "30d"
     }'

3. Wait for rotation worker to run → observe authorization error

Files Modified

• litellm/proxy/_types.py: Added user_role=LitellmUserRoles.PROXY_ADMIN to system user (1 line change)

Impact

• Fixes automated key rotation for team keys
• Minimal change with no side effects (system user only used by key rotation worker)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
litellm	Ready	Preview, Comment	Feb 22, 2026 6:01pm

[greptile-apps]

Greptile Summary

This PR fixes an authorization bug where the automated key rotation worker failed to rotate team keys because the system user (get_litellm_internal_jobs_user_api_key_auth()) was missing the user_role field. Without user_role=LitellmUserRoles.PROXY_ADMIN, the system user could not bypass the user_role check in TeamMemberPermissionChecks.can_team_member_execute_key_management_endpoint(), causing a team member permission error during key regeneration.

The fix is a single-line addition that correctly assigns PROXY_ADMIN to the system user. The change is safe because:

• The system user is only instantiated by the key rotation worker (KeyRotationManager._rotate_key())

• The can_modify_verification_token function already had a separate bypass for this service account via api_key check, but the earlier can_team_member_execute_key_management_endpoint check was failing first

• Missing tests: The PR does not include any new tests in tests/litellm/, which is listed as a hard requirement in the PR checklist. A simple unit test verifying the system user has the PROXY_ADMIN role should be added.

Confidence Score: 4/5

• This PR is safe to merge — it is a correct one-line fix to a clear authorization bug, though a regression test should be added.
• The change is minimal (1 line), correctly addresses the root cause, and the system user is only used in the key rotation worker context. The only concern is the absence of a test, but the code change itself is correct and low-risk.
• No files require special attention — the single change in litellm/proxy/_types.py is straightforward.

Important Files Changed

Filename	Overview
litellm/proxy/_types.py	Adds user_role=LitellmUserRoles.PROXY_ADMIN to the internal jobs system user so the key rotation worker can bypass team permission checks. The fix is correct and minimal — no missing test is the only concern.

Sequence Diagram

sequenceDiagram
    participant KRM as KeyRotationManager
    participant Types as UserAPIKeyAuth
    participant RKF as regenerate_key_fn
    participant TMPC as TeamMemberPermissionChecks
    participant CMVT as can_modify_verification_token

    KRM->>Types: get_litellm_internal_jobs_user_api_key_auth()
    Types-->>KRM: system_user (user_role=PROXY_ADMIN)
    KRM->>RKF: regenerate_key_fn(data, system_user)
    RKF->>TMPC: can_team_member_execute_key_management_endpoint(system_user)
    Note over TMPC: Check user_role == PROXY_ADMIN ✅<br/>(Previously failed: user_role was None)
    TMPC-->>RKF: Authorized (bypass)
    RKF->>CMVT: can_modify_verification_token(system_user)
    Note over CMVT: Check user_role == PROXY_ADMIN ✅<br/>(Also checks api_key fallback)
    CMVT-->>RKF: Authorized
    RKF-->>KRM: GenerateKeyResponse (new key)

Loading

_{Last reviewed commit: 0212275}

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Missing unit test for this change

The PR checklist states "Adding at least 1 test is a hard requirement," but no tests were added. A simple test in tests/test_litellm/proxy/ that asserts the system user returned by get_litellm_internal_jobs_user_api_key_auth() has user_role == LitellmUserRoles.PROXY_ADMIN would serve as a regression test and satisfy this requirement. For example:

from litellm.proxy._types import UserAPIKeyAuth, LitellmUserRoles

def test_internal_jobs_user_has_proxy_admin_role():
    system_user = UserAPIKeyAuth.get_litellm_internal_jobs_user_api_key_auth()
    assert system_user.user_role == LitellmUserRoles.PROXY_ADMIN

Context Used: Rule from dashboard - What: Ensure that any PR claiming to fix an issue includes evidence that the issue is resolved, such... (source)