Error " Invalid OAuth scope or ID token audience provided" with Agent using a service account from a credential json file

[webravolab]

Hello, i'm experiencing a weird problem trying to connect one Adk agent to an MCP server (using Toolbox), both deployed on Google Cloud Run. The MCP server requires IAM authentication, and I'm trying to make the Agent run as a service account that has the permissions to connect to the MCP server.

I'm using Application Default Credentials by providing the agent with a credential json file, and setting the GOOGLE_APPLICATION_CREDENTIAL env variable.

Connecting to the agent via Cloud Run public url it loads ok, but just typing "Hi" in the chat i received the following error:

google.auth.exceptions.RefreshError: ('invalid_scope: Invalid OAuth scope or ID token audience provided.', {'error': 'invalid_scope', 'error_description': 'Invalid OAuth scope or ID token audience provided.'})

The stack shows the error comes from _get_runner_async() in fast_api.py

I've tried to give the service account all the possible roles and permissions but don't seems to be related with roles.

I've also tried to add the service account id in Google Workspace giving the scope https://www.googleapis.com/auth/cloud-platform but nothing changed.

Any suggestion on the cause and how to fix it?

Here is my Agent code snippet:

from google.adk.agents import Agent
from google.adk.runners import Runner
from google.adk.sessions import InMemorySessionService
from google.adk.artifacts.in_memory_artifact_service import InMemoryArtifactService
from toolbox_core import ToolboxSyncClient, auth_methods
import os

os.environ['GOOGLE_GENAI_USE_VERTEXAI'] = 'True'
os.environ['GOOGLE_CLOUD_PROJECT'] = 'my-project'
os.environ['GOOGLE_CLOUD_LOCATION'] = 'global'
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = '/keys/key.json'

auth_token_provider = auth_methods.aget_google_id_token
toolbox_client = ToolboxSyncClient(
    "https://mcp-test-xxxxxxxxxxx.run.app",
    client_headers={"Authorization": auth_token_provider},
)

my_tools = toolbox_client.load_toolset("my-toolset")

prompt = "my prompt"

root_agent = Agent(
    model='gemini-2.5-flash-preview-05-20',
    name='my_test_agent',
    description='A test AI assistant',
    instruction=prompt,
    tools=my_tools
)