Share via

Unable to use openai responses api shell tool with network access

GS 400 Reputation points
2026-03-26T13:09:42.3+00:00

hello,

I am trying to use the OpenAI Responses API with the shell tool and network access

response = client.responses.create(
        model=AZURE_OPENAI_MODEL,
        tool_choice="required",
        tools=[
            {
                "type": "shell",
                "environment": {
                    "type": "container_auto",
                    "network_policy": {
                        "type": "allowlist",
                        "allowed_domains": ["pypi.org", "files.pythonhosted.org", "github.com"],
                    },
                },
            }
        ],
        input=[
            {
                "role": "user",
                "content": "In the container, pip install httpx beautifulsoup4, fetch release pages, and write /mnt/data/release_digest.md.",
            }
        ],
    )

this is the error that I get

openai.BadRequestError: Error code: 400 - {'error': {'message': "Network policy 'allowlist' is not permitted because the organization policy disables container network access.", 'type': 'invalid_request_error', 'param': 'network_policy.type', 'code': 'invalid_value'}}Where can I enable network access in Azure ?

Azure OpenAI Service
Azure OpenAI Service

An Azure service that provides access to OpenAI’s GPT-3 models with enterprise capabilities.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-26T13:09:52.1933333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Network access for the shell tool’s container is controlled by an organization-level policy on the Azure OpenAI side, not by a setting in the Responses API call or in the Azure Portal resource configuration shown in the provided context.

    The error message:

    "Network policy 'allowlist' is not permitted because the organization policy disables container network access."

    means that container network access has been disabled by policy for the Azure OpenAI organization/tenant, so network_policy values that require outbound network (like allowlist) are rejected.

    Because this is enforced by an organization policy, it cannot be enabled from within the code or via the Responses API parameters. To use the shell tool with network access:

    1. Contact the Azure subscription or tenant administrator who manages Azure OpenAI policies.
    2. Ask them to review and update the organization policy that disables container network access for tools (such as the shell tool used with the Responses API).
    3. After the policy is changed to allow container network access, the network_policy configuration with type: "allowlist" and allowed_domains will be accepted.

    If policy changes are not possible in the current environment, the only option is to run the network operations (HTTP calls, package installation, etc.) outside of the Responses API shell tool and pass the results into the model as regular input.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.