Google Vertex AI in Practice

No Code Execution Tool on Vertex: How to Fill the Gap

On the first-party API, Claude can run code in an Anthropic-managed sandbox. On Vertex AI it can't — so the sandbox becomes your responsibility. Here are the three patterns that work.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Anthropic's code execution tool is a server-side capability: on the first-party Claude API, the model can write Python, have it executed in a sandbox Anthropic operates, and reason over the results — all without you provisioning anything. Per Anthropic's Vertex documentation, that tool is not supported on Vertex AI. Google states the general rule directly: Claude models on the platform support client tools, but server tools are not supported. The distinction is who runs the tool — and on Vertex, "who" is you.

The good news: everything you need to fill the gap is supported. Tool use itself is GA on Vertex, and the client-implemented tool types Anthropic defines — bash, text editor, memory — are available. What changes is architecture, not capability.

Pattern 1: ordinary tool use for known computations

Most "Claude needs to compute something" requirements don't need arbitrary code execution at all. If the computations are enumerable — currency math, date arithmetic, a pricing formula, a database lookup — define each as a regular tool. Claude requests the tool with structured arguments; your code runs a function you wrote and audited; the result goes back in a tool_result block.

from anthropic import AnthropicVertex

client = AnthropicVertex(project_id="my-gcp-project", region="global")
message = client.messages.create(
    model="claude-opus-4-8",
    max_tokens=1024,
    tools=[{
        "name": "npv",
        "description": "Net present value of a cash-flow series",
        "input_schema": {"type": "object", "properties": {
            "rate": {"type": "number"},
            "cash_flows": {"type": "array", "items": {"type": "number"}}},
            "required": ["rate", "cash_flows"]},
    }],
    messages=[{"role": "user", "content": "NPV of -1000, 400, 400, 400 at 8%?"}],
)

This is the safest substitute because no model-generated code ever runs — only your functions do. The multi-turn loop mechanics are covered in tool use with Claude on Vertex AI.

Pattern 2: Cloud Functions as a constrained executor

When the computation genuinely can't be enumerated in advance — "analyze this CSV however makes sense" — some teams expose a tool whose implementation runs model-generated code inside a Cloud Function or similarly isolated GCP workload. The isolation properties you must engineer yourself, because you're rebuilding what Anthropic's managed sandbox provided:

Least privilege: run the executor under a dedicated service account with no permissions beyond what the task needs — never the same identity that calls Vertex. Containment: restrict or remove outbound network access so generated code can't exfiltrate whatever data you passed in. Bounded execution: enforce timeouts, memory caps, and input/output size limits. Auditability: log every generated snippet and its output, so security review has a record.

Security note: treat model-generated code exactly like untrusted user input, because from a threat-model perspective it is — a prompt-injected document can steer what the model writes. If you wouldn't eval() text from an anonymous web form in that environment, don't run Claude's code there either. See prompt injection 101.

Pattern 3: client-side evaluation for low-stakes math

For internal tools where the stakes are a wrong chart rather than a data breach, a middle path is client-side evaluation: your application executes model-produced expressions in a deliberately tiny interpreter — a restricted expression evaluator, not a full Python runtime. The narrower the language you accept (arithmetic and a whitelist of functions, say), the less sandboxing you owe. The moment "expressions" creep toward "programs," you're back in Pattern 2 territory and should build it properly.

Choosing between them

PatternRuns generated code?Engineering costFit
Predefined toolsNoLowEnumerable computations (most enterprise cases)
Cloud Functions executorYes, isolatedHighOpen-ended analysis on trusted-ish data
Client-side evaluationYes, tightly restrictedMediumLow-stakes arithmetic and formulas

Start with Pattern 1 and only escalate when a real requirement forces you to. Teams routinely discover that 90% of their imagined "code execution" needs were a dozen well-designed tools in disguise. And if the managed sandbox is genuinely central to your product, that's a platform-selection signal: the code execution tool is available on the first-party API and on Claude Platform on AWS — weigh that in your platform decision.

Where to go next

The complete availability matrix is in the feature gaps overview; Cloud Functions as invocation triggers covers the serverless plumbing side.

Sources