Here’s a question we hear often at Google Cloud: How do you safely run AI-generated code or untrusted binaries without putting your host application, data, and cloud credentials at risk? In other words, how do you give AI-written programs a safe space to run — one that keeps them completely separate from your trusted programs with higher privileges?
Until now, developers had to build complex sandboxing infrastructure using container clusters or pay for specialized third-party microVM runtimes.
Today, at WeAreDevelopers World Congress, we are announcing Google Cloud Run sandboxes in public preview. Cloud Run sandboxes are a native, secure, and ultra-fast runtime environment built specifically for executing untrusted code and agent workloads, starting in milliseconds.
In the following example, we send requests to safely execute untrusted Python code on a Cloud Run service that starts, executes, and stops 1,000 sandboxes with an average of 500ms latency:

In this post, we’ll share more about the feature and core use cases.
What is a Cloud Run sandbox?
Cloud Run sandboxes are lightweight, isolated execution boundaries that you can spawn near-instantly within your existing Cloud Run service instances.
Whether you need to let an LLM run a dynamically generated Python script to calculate business margins or spin up a headless browser to perform web research, Cloud Run sandboxes give you a secure, isolated sandbox to run these tasks without leaving your serverless environment.

Core use cases
-
LLM code interpreters: Build advanced data analysis features into your AI products. Let your models write and execute Python, R, or SQL code to analyze datasets, generate charts, and perform complex math securely.
-
Headless browsers: Give your agents a secure environment to run browsers. Safely scrape web pages, take screenshots, and automate web workflows without risking your host machine.
-
User-submitted code execution: Beyond AI, platforms hosted on Cloud Run can use sandboxes to safely run custom scripts, plugins, or webhooks uploaded by their own end-users.
How it works: The developer experience
Enabling sandboxes on your Cloud Run service is as simple as adding a single flag to your deployment.
Step 1: Enable the sandbox launcher
When deploying your Cloud Run service, enable the sandbox launcher via gcloud or your YAML configuration:
- code_block
- <ListValue: [StructValue([('code', 'gcloud beta run deploy my-agent-service \rn –image=gcr.io/my-project/agent-image \rn –sandbox-launcher'), ('language', ''), ('caption', )])]>
Step 2: Spawn a sandbox natively in your code
Once enabled, a lightweight sandbox CLI binary is automatically mounted into your execution environment. Your agent application can spawn sandboxes programmatically using standard subprocess calls.
Here is how easily you can run an untrusted Python script generated by an LLM:
- code_block
- <ListValue: [StructValue([('code', 'import subprocessrnrndef run_untrusted_code(llm_code: str):rn # 1. Write the untrusted LLM code to a local filern with open("/tmp/generated_script.py", "w") as f:rn f.write(llm_code)rn rn # 2. Run it inside the secure sandboxrn # The sandbox shares your container's filesystem tools but runs in a secure silorn result = subprocess.run(rn ["sandbox", "do", "–", "python3", "/tmp/generated_script.py"],rn capture_output=True,rn text=True,rn timeout=10rn )rn rn return result.stdout if result.returncode == 0 else result.stderr'), ('language', ''), ('caption', )])]>
Security by design: Zero-trust by default
Cloud Run sandboxes are engineered to protect your host application and cloud resources from malicious or erroneous code execution. The runtime enforces three critical security boundaries:
1. Credential and environment isolation: These sandboxes do not have access to the Cloud Run service’s environment variables nor do they have the ability to call the Google Cloud metadata server.
2. Locked-down network egress (deny-by-default): By default, sandboxes have zero outbound network access. If your agent is tricked into running a script that attempts to exfiltrate data to a malicious server, the network request is blocked at the system layer. Egress can be enabled only when explicitly requested:
- code_block
- <ListValue: [StructValue([('code', 'sandbox do –allow-egress — curl https://api.github.com'), ('language', ''), ('caption', )])]>
3. Safe filesystem overlay: The sandbox runs with a read-only view of your container’s filesystem (allowing it to use your installed packages, Python runtimes, and binaries) but writes all changes to an isolated, temporary memory overlay. Once the sandbox execution ends, all generated files are discarded. Though you can still import and export files as needed for re-use across sandboxes:
- code_block
- /tmp/work/status.txt”rnrn# Import the archive file in a new sandboxrnsandbox do –write –import-tar=/tmp/work.tar \rn — /bin/bash -c “cat /tmp/work/status.txt”‘), (‘language’, ”), (‘caption’, )])]>
ADK and ComputeSDK built-in support
Cloud Run sandboxes will be supported in the next version of Agent Development Kit with a new CloudRunSandboxCodeExecutor. This integration gives your ADK agents running on Cloud Run the ability to execute code in one single line:
- code_block
- <ListValue: [StructValue([('code', 'from google.adk.agents import Agentrnfrom google.adk.integrations.cloud_run import CloudRunSandboxCodeExecutorrnrnanalyst_agent = Agent(rn name="cloud_run_data_analyst",rn model="gemini-3.1-pro-preview",rn system_instruction=(rn "You are an expert data analyst. Write and execute Python code to answer "rn "user questions and process data safely."rn ),rn code_executor=CloudRunSandboxCodeExecutor(),rn)'), ('language', ''), ('caption', )])]>
Cloud Run sandboxes were also added to ComputeSDK, a vendor agnostic SDK for running sandboxes. This SDK allows you to either invoke sandboxes remotely from outside the Cloud Run service or use them directly as a local tool on the service. You can learn how to use this SDK for Cloud Run sandboxes here.
Get started today
Unlike dedicated sandbox hosting platforms that charge high premiums for on-demand virtual machines, Cloud Run sandboxes run directly on your existing allocated CPU and memory. Because the sandboxes share the resources of your running instances, there is no additional cost or premium to use this feature. You can check out our documentation here.