What Cloud Run EC2 Instances Actually Do and When to Use Them

Your app scales beautifully in the cloud, until you need one part to run in a fully managed environment and another to live next to some sensitive data in a private VPC. That’s when teams start asking how Cloud Run EC2 Instances can work together without losing their minds to identity wiring or network plumbing.

Cloud Run is Google Cloud’s serverless container platform. It spins up workloads on request, charges by the millisecond, and terminates when idle. EC2 Instances, on the other hand, are AWS’s bread-and-butter virtual machines: customizable, persistent, and deeply integrated into everything from EBS to IAM roles. Each does its job well, but real-world systems don’t fit tidy vendor lines. A modern architecture often wants the elasticity of Cloud Run with the proximity, control, or data gravity of EC2.

The trick is understanding the flow of identity and access between them. Cloud Run needs scoped IAM credentials to call AWS APIs, while EC2 might need to reach back into Cloud Run endpoints with verified tokens. The goal is to create a bridge where each side trusts the other through short-lived, auditable credentials. Nothing long-term, nothing leaked in environment variables.

In practice, you link an identity provider like Okta or AWS IAM’s OIDC federation. Cloud Run uses a workload identity that exchanges tokens with AWS via IAM Roles for Web Identity. EC2 then accesses Cloud Run through signed requests verified by Google’s IAP or service identity. The entire pipe works on standard OIDC, which keeps auditors calm and engineers moving fast.

When something breaks, look first at assumptions about trust domains. Misaligned audience claims or stale tokens cause most errors here. Keep your token lifetimes short, rotate keys automatically, and map each service to the least privilege it requires. The less humans touch, the fewer credentials you’ll be chasing later.

Benefits of pairing Cloud Run with EC2 Instances

• Route traffic intelligently between serverless and stateful workloads
• Leverage AWS regional zones while keeping stateless APIs in Cloud Run
• Strengthen identity posture through federated OIDC and short-lived tokens
• Cut costs by running spiky workloads on Cloud Run while anchoring data on EC2
• Simplify auditing with unified policy management across providers

For developers, this means faster shipping and fewer Slack pings about "who can access staging." It tightens the feedback loop and keeps environments consistent across teams. Velocity improves because no one waits for a token refresh that takes two meetings and a spreadsheet.

Platforms like hoop.dev take this further by turning access rules into automated policies that enforce identity-aware controls across clouds. They eliminate the duct tape of manual credential swaps, giving you identity consistency from your laptop to production.

How do I connect Cloud Run to an EC2 instance?
Authenticate both sides through a federated identity provider supporting OIDC. Grant Cloud Run a workload identity capable of assuming an AWS role, and configure that role’s trust relationship accordingly. EC2 can then access authenticated endpoints through signed requests verified by Google’s IAM or IAP layers.

In short, Cloud Run EC2 Instances are about meeting in the middle: elasticity with control, automation with accountability. The bridge is identity, and building it right turns multi-cloud from a hassle into an advantage.

See an Environment Agnostic Identity-Aware Proxy in action with hoop.dev. Deploy it, connect your identity provider, and watch it protect your endpoints everywhere—live in minutes.