Skip to content

AWS Architecture Blog — PACIFIC enables multi-tenant, sovereign product carbon footprint exchange on the Catena-X data space using AWS

Summary

PACIFIC — a joint product of BASF and CircularTree, certified on the Catena-X Automotive Network — is a multi-tenant SaaS that lets automotive-supply-chain companies exchange Product Carbon Footprint (PCF) data across company boundaries while keeping each company's credentials, EDC configuration, and PCF records fully isolated. The problem shape is specifically cross-tenant B2B data exchange on a shared data space: participants need to collaborate (request, negotiate, transmit PCF datasets) and stay sovereign (no cross-tenant credential or data leakage, ever). The PACIFIC architecture runs on Amazon ECS on AWS Fargate behind AWS WAF + Application Load Balancer, and rests on three load-bearing architectural moves: (1) Cognito-group → IAM-role mapping via Cognito Identity Pools + STS delivers per-tenant AWS credentials without one AWS account per tenant, so a user's temporary credentials can only read their own company's secrets in Secrets Manager; (2) the per-tenant OAuth2 exchange endpoint publishes each supplier's pcf-exchange-module as an individually addressable endpoint that accepts only tokens issued through an Eclipse Dataspace Connector (EDC) policy-negotiation handshake, layering protocol-level authorization on top of IAM-level isolation; (3) the integration-module decouples inbound supplier-specific PCF ingest (each with its own auth flow — OAuth2, certificate, API key) from the exchange layer, landing PCF data in Amazon S3 under company-specific prefixes guarded by the same IAM role chain. Business impact is concrete: a manual PCF request that used to take up to ~7 days now responds in seconds, delivering up to 75% time savings, and partner-onboarding grew +80% between 2024 and 2025 with +55% growth in requested products and shared PCFs. Customer case-study genre — no p99/TPS/storage-volume numbers disclosed.

Key takeaways

  1. IAM-based tenant isolation beats account-per-tenant for SaaS at Catena-X scale. PACIFIC does not provision a separate AWS account or VPC per customer company. Instead, when a company joins, PACIFIC auto-provisions a dedicated IAM role with a scoped policy that permits access only to that company's secrets in Secrets Manager. Users authenticate to the company's Cognito user pool group; the Cognito identity pool maps group membership to the corresponding IAM role, and AWS STS issues temporary credentials scoped to that role. Cross-tenant credential access is denied at the IAM policy level, not at the application layer — this is the patterns/cognito-group-to-iam-role-mapping pattern made concrete. (Source)

  2. PCF-exchange authorization is layered: IAM-scoped user credentials (tenant → secrets) plus EDC-issued OAuth2 tokens (trading-partner → endpoint). The two mechanisms protect different boundaries. IAM-scoped credentials enforce intra- platform isolation: users of company A cannot read company B's EDC/DTR credentials stored in Secrets Manager. EDC OAuth2 tokens enforce inter-company authorization: only a trading partner that completed a successful EDC policy-negotiation handshake with the supplier's EDC can obtain a token valid for that supplier's pcf-exchange-module endpoint. The token is derived from the supplier's Cognito app client credentials stored inside their EDC. Each tenant's pcf-exchange-module is a distinct endpoint per tenant, not a shared endpoint with tenant-ID routing. (Source, Figure 2)

  3. The six-step EDC-to-EDC handshake is the authoritative cross-company PCF-exchange protocol on Catena-X. Verbatim from the article: (1) Consumer EDC sends Request PCF to Supplier EDC; (2) Policy Negotiation between the two EDCs; (3) token issued; (4) Supplier EDC provides a Data Space URL to the pcf-exchange-module; (5) Token Validation between pcf-exchange-module and the supplier-oauth2-client; (6) PCF data returned to Consumer EDC. Two independent gates: EDC-level policy negotiation and company-scoped OAuth2 token validation. "PCF data is transmitted only after explicit consent and only to the specific trading partner authorized in the data exchange agreement." (Source, Figure 2)

  4. The integration-module is a deliberate decoupling layer between messy supplier ingest and clean PCF exchange. Supplier-side PCF systems (e.g. BASF's internal PCF services) each have their own auth: OAuth2 client-credentials, certificate-based, API keys. All of those credentials are managed in Secrets Manager. The integration-module expects incoming PCF data to already conform to the Catena-X PCF JSON format — schema normalization happens at the ingestion boundary, not downstream. Ingested PCF lands in Amazon S3 under company- specific prefixes where IAM policies enforce ownership. New supplier integrations can be onboarded without touching the Catena-X exchange path. (Source)

  5. Four containerized modules on ECS Fargate partition the system. The runtime is four microservices behind WAF + ALB in a VPC, on Amazon ECS with AWS Fargate: core-modules (platform features), integration-module (supplier PCF ingest), pcf-exchange-module (per-tenant Catena-X exchange endpoint), edc-dtr-module (EDC/DTR connector + configuration). Persistence is Amazon RDS (relational) + Amazon S3 (object, company-prefixed). (Source, Figure 1)

  6. Operational-impact numbers are business-scale, not infra-scale. A previously-manual PCF request of a cached dataset took up to ~7 days; PACIFIC responds in seconds and delivers automated updates when PCFs change → up to 75% time savings for BASF and its customers. Across 2024 → 2025: +80% newly onboarded companies and +55% growth in requested products and shared PCFs. The case-study genre: no request/sec, no p99, no storage volume, no cost-per- tenant disclosed. (Source, Conclusion)

Systems extracted (first-class wiki entities)

  • Amazon Cognitouser pool groups (per-tenant) + identity pool (group → IAM-role mapping) + app client (EDC OAuth2 credentials). Already on the wiki; this source extends it with the Catena-X PCF-exchange shape.
  • AWS IAM — per-tenant IAM role with scoped policy; the mechanism that makes tenant isolation structural.
  • AWS STS — issues the temporary credentials keyed to the tenant's IAM role; the runtime authority behind Cognito-to-IAM mapping.
  • AWS Secrets Manager — per-tenant secret for EDC connector credentials, Digital Twin Registry credentials, and supplier-system auth material.
  • Amazon ECS + AWS Fargate — runtime for the four containerized PACIFIC modules.
  • Amazon S3 — PCF storage with company- specific prefixes; IAM policies enforce prefix-level ownership.

Concepts extracted

  • concepts/tenant-isolation — extended: PACIFIC is a canonical example of IAM-based tenant isolation (no account-per-tenant, no VPC-per-tenant), achieved via Cognito-group → IAM-role mapping + Secrets Manager per-tenant secrets.
  • concepts/digital-sovereignty — extended: the Catena-X / EU-regulatory context where "sovereignty" means per-company control over data and credentials in cross-company exchange.
  • concepts/account-per-tenant-isolation — used as the contrast case: PACIFIC deliberately avoids this model.
  • concepts/short-lived-credential-auth — extended: STS-issued temporary credentials scoped to tenant IAM role are the concrete mechanism that makes application-layer tenant enforcement unnecessary for Secrets-Manager access.

Patterns extracted

  • patterns/cognito-group-to-iam-role-mapping (new) — the Cognito user-pool-group → Cognito-identity-pool → IAM role → STS temporary credentials chain that delivers per-tenant AWS access without account-per-tenant overhead.
  • patterns/per-tenant-oauth2-exchange-endpoint (new) — publishing each tenant's cross-company data-exchange endpoint as an independently-addressable URL that accepts only OAuth2 tokens issued via an out-of-band handshake (EDC policy negotiation, in PACIFIC's case).

Operational numbers (recorded)

  • Up to 75% time savings for BASF and its customers on PCF exchange.
  • Up to ~7 daysseconds for a cached-PCF response (manual → automated).
  • +80% newly onboarded companies between 2024 and 2025.
  • +55% growth in requested products and shared PCFs over the same period.

Caveats

  • Customer case study / joint-marketing genre — no p99 latency, request/sec throughput, per-tenant cost, PCF storage volume, EDC-negotiation median-duration, or failure-mode distribution is disclosed.
  • "Sovereignty" here is the Catena-X/EU industrial-data-space sense (per-company control over records and credentials in cross-company exchange), not the cross-jurisdictional sense covered by systems/aws-european-sovereign-cloud or GovCloud. PACIFIC's IAM-based isolation model is intra- AWS-account.
  • The article describes PACIFIC's design but does not publish code, IAM policy excerpts, EDC connector configuration, or Cognito pre-token-hook code. Treat the token-flow description as an architecture diagram, not a runnable spec.
  • Eclipse Dataspace Connector (EDC) and Digital Twin Registry (DTR) are external Catena-X components; this post is not their primary documentation.

Source

Last updated · 476 distilled / 1,218 read