AgentNexus added a signed dispatcher path for Google Cloud Run sandbox jobs. The Worker signs bounded job requests, while a Cloud Run Dispatcher uses its service identity to run the approved sandbox job.
Status
Keyless path added
Category
Security
Date
May 15, 2026
Read time
3 min read
Impact
Operators can keep organization policies that block service account key creation while still preparing a durable sandbox dispatch path.
What changed
AgentNexus added a signed Worker-to-Cloud-Run dispatcher path for ephemeral sandbox jobs. The Worker can now use a dispatcher URL and HMAC secret instead of a Google access token or service account JSON.
A small Cloud Run Dispatcher scaffold validates signatures, timestamps, and the allowlisted sandbox job target before calling the Cloud Run Jobs API with its attached service identity.
Why it matters
This keeps sandbox execution aligned with Google Cloud organization policies that prohibit service account key creation and reduces the blast radius of Worker configuration.
What to do
Deploy the dispatcher service, grant it permission to run only the approved sandbox job, then configure the Worker with `GCP_SANDBOX_DISPATCHER_URL` and `GCP_SANDBOX_DISPATCHER_SECRET`.