Google Cloud Blog
Follow
Safely run AI-generated code in Cloud Run sandboxes
Google Cloud has introduced Cloud Run sandboxes, a new feature available in public preview. These sandboxes provide a secure and rapid runtime environment for executing untrusted code, such as AI-generated scripts. Previously, developers relied on complex infrastructure or third-party solutions to achieve similar isolation. Cloud Run sandboxes are designed to be lightweight and can be spawned quickly within existing Cloud Run service instances. Key use cases include LLM code interpreters for data analysis, headless browsers for web scraping, and secure execution of user-submitted code. Enabling sandboxes is as simple as adding a flag during service deployment. Once enabled, a sandbox CLI binary is mounted, allowing applications to spawn sandboxes programmatically. The security architecture emphasizes a zero-trust approach, isolating credentials and environments. Network egress is denied by default, and the filesystem overlay is read-only with temporary write capabilities. Cloud Run sandboxes integrate with the Agent Development Kit and ComputeSDK for simplified code execution. This feature runs on existing allocated resources, incurring no additional cost for users.