How to configure Ceph Cloud Run for secure, repeatable access

A new engineer joins the team, needs to test a backup restore, and your Ceph cluster is locked down behind layers of IAM rules. You could hand them temporary keys, pray they clean up, and hope nothing breaks. Or you could make Ceph Cloud Run manage access neatly, automatically, and with a clean audit trail.

Ceph is your durable, self-healing object store. Google Cloud Run gives you stateless, on-demand containers without servers to patch. On their own, they’re powerful. Together, they can be frictionless if you wire identity, permissions, and storage correctly. The trick is to treat Ceph as a service endpoint authenticated through Cloud Run’s short-lived credentials, not as a bucket with permanent keys.

When configured right, Ceph Cloud Run runs jobs as identity-aware clients. Cloud Run retrieves access tokens from your identity provider (Okta, AWS IAM, or Google Identity Platform). Those tokens map to Ceph users created by your provisioning pipeline. Every container request is verified, logged, and bounded by role-based policies. You avoid long-lived keys entirely.

The integration flow is simple conceptually:

1. Cloud Run spins up your service with an injected OIDC identity.
2. Ceph confirms that identity against your auth gateway or trust policy.
3. S3 calls from your app proceed within that scoped context, producing auditable logs.

That’s automation instead of credential chaos.

To tighten it up, follow a few best practices. Map Cloud Run service accounts to Ceph users 1:1 for traceability. Use least-privilege policies and rotate any static secrets used for bootstrap steps. Add request signing in your libraries to detect any replay attempt. And most importantly, keep your audit logs centralized; Ceph’s RGW logs plus Cloud Audit Logs make compliance checks painless.

A quick answer for the curious: How do I connect Ceph and Cloud Run?
Use an OIDC or IAM-based identity mapping layer so Cloud Run tasks receive short-lived tokens that Ceph trusts, rather than storing static access keys inside containers. It’s the simplest and most secure pattern available today.

Teams usually switch to this model once they see how much toil it cuts. With ephemeral credentials and automatic onboarding, developers stop waiting for service accounts. Deploys move faster, and debugging storage permissions becomes trivial. Fewer pings in Slack, more code pushed to production.

Platforms like hoop.dev turn those access rules into guardrails that enforce policy automatically. It connects your identity provider and containerized workloads, giving you that same least-privilege design without duct tape or weekend maintenance.

Benefits worth noting:

• Ephemeral access removes long-lived secrets from codebases
• Clear audit logs reduce compliance pain and speed up reviews
• Role-based mapping improves security posture and traceability
• Automatic token rotation minimizes admin overhead
• Faster experimentation means faster feature delivery

As AI copilots and automation tools start hitting your storage APIs, the same principles hold. Tokens scoped to identity and job function prevent data drift or model leakage. Adaptive proxies can even apply policy on behalf of those agents in real time.

Ceph Cloud Run is about turning solid infrastructure into reliable workflows. Configure identity once, re-use it everywhere, and watch your operational noise drop to near zero.

See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.