You’ve got a model trained in SageMaker and an API endpoint waiting in Cloud Run. The dream is simple: every deploy triggers an inference call without any credentials taped to your CI logs. But credentials creep back in, IAM roles tangle, and “just one test” turns into a week of debugging OIDC claims. Time to fix that.
Cloud Run gives you a fully managed container runtime on Google Cloud. It scales on demand and lets you run any container behind a private URL with Google identity baked in. Amazon SageMaker handles the training and hosting of machine learning models with tight integration to AWS storage and IAM. The two shine in their own clouds, but when you connect them, you unlock rapid experiment loops: deploy in Google, infer in AWS, measure, repeat.
To wire Cloud Run and SageMaker together, you rely on identity federation. Instead of static keys, Cloud Run’s service account issues a short-lived identity token using Workload Identity Federation. That token gets verified by AWS STS, which then grants temporary access to SageMaker’s InvokeEndpoint API. You never see a credential, and yet the request flows securely across clouds. Think of it as a cross-cloud handshake done right.
If anything breaks, it is almost always IAM. Make sure the AWS role trusts the Google identity provider, and confirm token audiences match. Rotate those roles through Terraform or a CI policy file. The fewer humans touching keys, the safer and saner your life becomes.
Benefits of linking Cloud Run and SageMaker
- Fast inference calls across clouds without VPNs or key management
- Full audit trails through native IAM logs and CloudTrail
- Zero standing credentials in environment variables
- Reduced deployment time since authentication is automated
- Simplified rollback or retraining workflows using event triggers
A quick answer for the impatient: To connect Google Cloud Run and AWS SageMaker securely, use workload identity federation so that Cloud Run’s service account exchanges an OIDC token for temporary AWS credentials, eliminating long-lived API keys. That’s your one-sentence playbook.
This setup not only cuts latency but makes developer life smoother. You can deploy updates in Cloud Run, run an experiment on SageMaker, and push logs back to BigQuery without switching consoles or asking Ops for another secret rotation. Productivity increases, security teams sleep better, and experiments don’t pause for credential wrangling.
AI copilots thrive in this pattern too. Once you remove manual key flows, you can safely let agents trigger model retrains or A/B tests. The boundary between “app” and “model” starts to fade, and everything becomes scriptable.
Platforms like hoop.dev take these federation patterns and turn them into policy-backed gates. They onboard your identity provider, enforce who can hit what endpoint, and keep SOC 2 auditors happy without turning DevOps into a ticket queue.
Connecting Cloud Run to SageMaker the right way is about trust, not glue code. Let each cloud do what it does best, and let automation handle the handshake.
See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.