Hello Hugging Face Community,
I’m hoping to get some help with a persistent authentication issue when trying to connect my Gradio Space to the Google Cloud Dialogflow API using Workload Identity Federation (WIF). I have followed the official documentation meticulously, but the authentication is failing.
The Goal: My Gradio app, hosted on HF Spaces, needs to authenticate to the Google Dialogflow API. I am using the recommended keyless WIF method.
The Problem: My application fails to start. The logs show a google.auth.exceptions.DefaultCredentialsError
because it cannot find any credentials. I added diagnostic code to my app.py
, and it confirms that the HUGGING_FACE_OIDC_TOKEN
environment variable is not being found in the runtime environment.
This indicates that the WIF authentication flow is not being initiated by the Hugging Face platform, even though the secrets
are configured.
My Verified Setup:
I have worked extensively with Google Cloud support, and we have confirmed that the Google Cloud side of the configuration appears to be 100% correct.
1. On Hugging Face Spaces (VelaSight/Housing-Navigator-Agent
): My README.md
file contains the following correctly formatted secrets
block:
YAMLsecrets: GCP_WIF_PROVIDER: "projects/1061214551869/locations/global/workloadIdentityPools/agentpool01/providers/huggingface-provider" GCP_SERVICE_ACCOUNT: "gradio-chatbot-invoker@velasight-housing-agent.iam.gserviceaccount.com"
My app.py
file is set up to use the default credentials provided by the environment.
2. On Google Cloud Platform:
- A Workload Identity Pool with ID
agentpool01
exists. - An OIDC Provider for
https://huggingface.co
exists within that pool. - A service account (
gradio-chatbot-invoker@...
) exists with theDialogflow API Client
role. - The following IAM permission has been successfully saved on the service account, granting access specifically to my HF Space:
- Role:
Workload Identity User
- Principal:
principal://iam.googleapis.com/projects/1061214551869/locations/global/workloadIdentityPools/agentpool01/subject/repo:VelaSight/Housing-Navigator-Agent
- Role:
My Question for the Community:
Given that all configurations on both platforms appear to be correct according to the documentation, why would the Hugging Face Spaces environment fail to generate and inject the HUGGING_FACE_OIDC_TOKEN
?
Has anyone encountered a similar issue? Is there a known bug, or a subtle configuration step on the Hugging Face side that I might be missing? I am completely blocked and would be grateful for any insights.
Thank you!