TRE-Agent-Ephemeral-Credentials-Docs#129
Open
CodeByKarthik wants to merge 28 commits into
Open
Conversation
vpnu
reviewed
Dec 17, 2025
Co-authored-by: Vasiliki Panagi <[email protected]>
Co-authored-by: Vasiliki Panagi <[email protected]>
Co-authored-by: Vasiliki Panagi <[email protected]>
Co-authored-by: Vasiliki Panagi <[email protected]>
Co-authored-by: Vasiliki Panagi <[email protected]>
Co-authored-by: Vasiliki Panagi <[email protected]>
Co-authored-by: Vasiliki Panagi <[email protected]>
Co-authored-by: Vasiliki Panagi <[email protected]>
Co-authored-by: Vasiliki Panagi <[email protected]>
Co-authored-by: Vasiliki Panagi <[email protected]>
Co-authored-by: Vasiliki Panagi <[email protected]>
Collaborator
|
Just to check in, how come this was never merged? It does feel helpful to outline ephemeral credentials in the documentation, as it's a highlight of the system |
AndrewThien
requested changes
May 22, 2026
|
|
||
| ### How BPMN/DMN deployment works in Camunda/Zeebe | ||
|
|
||
| 1. BPMN and DMN files (process models) are stored inside the TRE_Credentials project. |
Contributor
There was a problem hiding this comment.
I believe the project is named Camunda.Models now
|
|
||
| 1. BPMN and DMN files (process models) are stored inside the TRE_Credentials project. | ||
| 2. On application startup, Zeebe’s client automatically deploys the models using client.deployResources. It can also be deployed using the Camunda Modeler interface using the rocket button shown in the bottom left corner. | ||
| 3. Whenever the Submission layer triggers a process instance (e.g. TriggerStartCredentialsAsync), Zeebe uses the deployed BPMN definition to decide which jobs to create. |
| - **TRE (Admin layer):** Entry point for user submissions. Responsible for: | ||
| - Triggering the Camunda workflow to *create* credentials for a submission. | ||
| - Polling the internal credentials DB for ready credentials and fetching secrets from the vault. | ||
| - Injecting found credentials into TES/TESK task executors as environment variables. |
|
|
||
| - **Credentials DB (EphemeralCredentials table):** Stores records after a successful credentials or details of errored credential creation so the TRE layer can coordinate polling and mark rows processed. | ||
|
|
||
| - **Credentials DB (EphemeralCredentials table)**: Stores records after a successful credentials or details of errored credential creation so the TRE layer can coordinate polling and mark rows processed. |
Contributor
There was a problem hiding this comment.
this sentence is repeated
| - **Credentials DB (EphemeralCredentials table)**: Stores records after a successful credentials or details of errored credential creation so the TRE layer can coordinate polling and mark rows processed. | ||
|
|
||
|
|
||
| ## Sequence of events |
Contributor
There was a problem hiding this comment.
TRE and TRE layer in this section should all be TRE Agent
|
|
||
| # Five Safes TES - Ephemeral Credentials | ||
|
|
||
| ## Summary |
Contributor
There was a problem hiding this comment.
We have this Summary section plus High-level architecture plus Sequence of events, and they seems to talk around the same things. Can we somehow merge them nicely together and put it in the top of this page?
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
Co-authored-by: Tri Thien Nguyen <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Documentation #127
PR Description
This PR introduces a comprehensive ephemeral credentials management system using BPMN workflows and DMN decision models to handle credential lifecycle management for multiple services including PostgreSQL, Trino, and MinIO.
Closes #127