Leap0

Metadata Service

Read sandbox, exec, network, telemetry, and mount metadata from the in-guest IMDSv2 metadata service.

Leap0 exposes a metadata service inside each sandbox at 169.254.169.254.

It publishes Leap0-specific metadata under http://169.254.169.254/latest/meta-data/leap0.

Read the root document when you want the full payload, or read nested paths such as http://169.254.169.254/latest/meta-data/leap0/mounts when you only need one section.

The root payload includes schema_version so guest code can identify the metadata document version.

The full response schema is documented in the Metadata Service API reference.

Authentication

The metadata service uses IMDSv2. First request a token, then include it on metadata reads.

TOKEN=$(curl -sf -X PUT http://169.254.169.254/latest/api/token \
  -H 'X-metadata-token-ttl-seconds: 60')

curl -sf \
  -H "X-metadata-token: $TOKEN" \
  -H 'Accept: application/json' \
  http://169.254.169.254/latest/meta-data/leap0

Read metadata from a sandbox

from leap0 import Leap0Client

client = Leap0Client()
sandbox = client.sandboxes.create(
    mounts=[
        {
            "type": "object-storage",
            "bucket": "cloud-samples-data",
            "endpoint": "https://storage.googleapis.com",
            "mount_path": "/data/assets",
            "prefix": "adc/",
            "read_only": True,
        }
    ],
)

result = sandbox.process.execute(
    command=(
        "TOKEN=$(curl -sf -X PUT http://169.254.169.254/latest/api/token "
        "-H 'X-metadata-token-ttl-seconds: 60') && "
        "curl -sf -H 'X-metadata-token: $TOKEN' -H 'Accept: application/json' "
        "http://169.254.169.254/latest/meta-data/leap0"
    )
)

print(result.stdout)

client.close()
import { Leap0Client } from "leap0";

const client = new Leap0Client();
const sandbox = await client.sandboxes.create({
  mounts: [
    {
      type: "object-storage",
      bucket: "cloud-samples-data",
      endpoint: "https://storage.googleapis.com",
      mountPath: "/data/assets",
      prefix: "adc/",
      readOnly: true,
    },
  ],
});

const result = await sandbox.process.execute({
  command:
    `TOKEN=$(curl -sf -X PUT http://169.254.169.254/latest/api/token -H 'X-metadata-token-ttl-seconds: 60') && ` +
    `curl -sf -H 'X-metadata-token: $TOKEN' -H 'Accept: application/json' ` +
    `http://169.254.169.254/latest/meta-data/leap0`,
});

console.log(result.stdout);

await client.close();

Was this page helpful?

Firewall

Configure outbound network restrictions for sandbox runtimes.

Object Storage

Mount S3-compatible buckets into a sandbox without exposing credentials inside the guest.

On this page

AuthenticationRead metadata from a sandbox