WIF Authentication to Google Cloud Failing - HUGGING_FACE_OIDC_TOKEN Not Found

Hello Hugging Face Community,

I’m hoping to get some help with a persistent authentication issue when trying to connect my Gradio Space to the Google Cloud Dialogflow API using Workload Identity Federation (WIF). I have followed the official documentation meticulously, but the authentication is failing.

The Goal: My Gradio app, hosted on HF Spaces, needs to authenticate to the Google Dialogflow API. I am using the recommended keyless WIF method.

The Problem: My application fails to start. The logs show a google.auth.exceptions.DefaultCredentialsError because it cannot find any credentials. I added diagnostic code to my app.py, and it confirms that the HUGGING_FACE_OIDC_TOKEN environment variable is not being found in the runtime environment.

This indicates that the WIF authentication flow is not being initiated by the Hugging Face platform, even though the secrets are configured.

My Verified Setup:

I have worked extensively with Google Cloud support, and we have confirmed that the Google Cloud side of the configuration appears to be 100% correct.

1. On Hugging Face Spaces (VelaSight/Housing-Navigator-Agent): My README.md file contains the following correctly formatted secrets block:

YAMLsecrets: GCP_WIF_PROVIDER: "projects/1061214551869/locations/global/workloadIdentityPools/agentpool01/providers/huggingface-provider" GCP_SERVICE_ACCOUNT: "gradio-chatbot-invoker@velasight-housing-agent.iam.gserviceaccount.com"

My app.py file is set up to use the default credentials provided by the environment.

2. On Google Cloud Platform:

• A Workload Identity Pool with ID agentpool01 exists.
• An OIDC Provider for https://huggingface.co exists within that pool.
• A service account (gradio-chatbot-invoker@...) exists with the Dialogflow API Client role.
• The following IAM permission has been successfully saved on the service account, granting access specifically to my HF Space:
  • Role: Workload Identity User
  • Principal: principal://iam.googleapis.com/projects/1061214551869/locations/global/workloadIdentityPools/agentpool01/subject/repo:VelaSight/Housing-Navigator-Agent

My Question for the Community:

Given that all configurations on both platforms appear to be correct according to the documentation, why would the Hugging Face Spaces environment fail to generate and inject the HUGGING_FACE_OIDC_TOKEN?

Has anyone encountered a similar issue? Is there a known bug, or a subtle configuration step on the Hugging Face side that I might be missing? I am completely blocked and would be grateful for any insights.

Thank you!

Are you trying to use it via MCP? I saw a discussion about this on HF Discord a while ago, and it seems that Secrets in Spaces cannot be referenced via MCP. One workaround would be to change the implementation to pass the token every time, but there may be a smarter way.

Hi, thanks for the feedback. I have not set up MCP since Vertex uses A2A (similar to MCP) under the hood. I do have a working model using Dialgflow but it appears that presently, the communication between Vertex and HuggingFace might be incompatible for sharing secrets unless I am missing something else (entirely possible as well).