keeping track of digital experience
AWS Cognito: Setup a Custom Domain
Harien 20 Feb 2019 4 minutes

At Horizon State, we wanted to utilise Amazon Cognito for a while. But not having native support for passwordless authentication held us back for a while. Recently, we had some time to dig deep into it.

Overall it was a good experience, but this post is about one head-scratcher I faced while setting up custom domains.

Some background…

All our internal infrastructure is setup in the Sydney region. So it was only logical to create the Cognito User Pool as well in the same data center.

Create a User Pool

In order to leave unrelated stuff out of this post, let’s create a User Poll with default settings:

create user pool with defaults

So far, so good!

Your user pool was created successfully

Setup a custom domain

When I tried to setup a custom domain name, it complained that there are no AWS managed certificates for this region:

We didn't find any AWS managed certificates for this region

Hmmm, interesting!

I know that’s not true because we have several services running in the region serving HTTPS traffic.

However, clicking on the link in the error message to add a new one, took me to the regular certificate management page which showed all the certificates we have, as expected.

Now, that’s confusing!

Troubleshoot

I tried googling and going through the official documentation but couldn’t really figure out what the issue is. Then I though creating a new Identity Pool in a separate account.

I created one in our production account and it did not give me the same error. However, it showed only one certificate in the dropdown whereas there should have been a couple more:

certificates shows in prod

At least, now I’m getting somewhere.

After scratching my head for a while, I realised that the certificate it list is from another region, us-east-1 (N. Virginia).

Then I headed back to the dev account and requested for a new certificate in the us-east-1 region. Boom! the new certificate appeared in the AWS managed certificate dropdown.

By boom, I mean once the certificate is issued, of cause.

Back to setup

I gladly selected the new certificate and gave an appropriate custom domain name. It provided me with a link to a CloudFront distribution. All I had to do was create a CNAME record that maps the custom domain name I chose to the given CloudFront distribution URL.

What was going on?

Cognito creates a set of UIs for login, logout, etc by default. It does that to get things up and running fast - thank you! Therefore, it creates a CloudFront distribution under the hood to host these pages.

Note: this distribution is not visible under your account.

As explained here in the documentation, CloudFront only works with certificates available in the US East region.

So, there you go…