How permissions work
Each drive can have up to 3 permission rules. A permission rule contains:| Field | Description | Default |
|---|---|---|
labels | Key-value pairs the workload must have (AND logic within a rule) | Required |
mode | Access mode: read or read-write | read-write |
path | Subfolder the workload is restricted to | / (full drive) |
Label matching
Workload labels are automatically injected into the workload’s identity token at creation time. These include infrastructure labels (likeblaxel-workspace, blaxel-type, blaxel-name) and any user-defined labels set on the resource’s metadata.
To add user-defined labels to a sandbox, set them in labels when creating the resource:
Create a drive with permissions
Update permissions on an existing drive
Permissions can be modified on a drive that is already in use. Updated permissions apply to new mount requests. Existing mounts are not affected until remounted.permissions to an empty array.
Permission patterns
Restrict to a single team
Only sandboxes withteam: "data-science" can mount the drive:
TypeScript
AND logic (multiple labels in one rule)
The workload must have bothteam: "backend" AND env: "production" to match:
TypeScript
OR logic (multiple rules)
Eitherteam: "backend" OR team: "ml" can access the drive:
TypeScript
Read-only access for some teams
The backend team gets full access, the frontend team can only read:TypeScript
Path scoping
Restrict a workload to a specific subfolder within the drive:TypeScript
/reports when it mounts the drive.
Behavior summary
| Scenario | Result |
|---|---|
| No permissions defined on drive | Any workload in the workspace can mount |
| Permissions defined, workload labels match a rule | Mount allowed with the rule’s mode and path |
| Permissions defined, no rule matches | Mount denied |
| Multiple rules match | First matching rule applies |
Rule with empty mode | Defaults to read-write |
Rule with empty path | Defaults to / (full drive) |
Agent Drive overview
Create, mount, and manage drives.
Sandboxes overview
Learn about sandbox lifecycle and configuration.
