At Horizon State, we wanted to utilise Amazon Cognito for a while. But not having native support for passwordless authentication held us back for a while. Recently, we had some time to dig deep into it.
Overall it was a good experience, but this post is about one head-scratcher I faced while setting up custom domains.
All our internal infrastructure is setup in the Sydney region. So it was only logical to create the Cognito User Pool as well in the same data center.
Create a User Pool
In order to leave unrelated stuff out of this post, let’s create a User Poll with default settings:
So far, so good!
Setup a custom domain
When I tried to setup a custom domain name, it complained that there are no AWS managed certificates for this region:
I know that’s not true because we have several services running in the region serving
However, clicking on the link in the error message to add a new one, took me to the regular certificate management page which showed all the certificates we have, as expected.
Now, that’s confusing!
I tried googling and going through the official documentation but couldn’t really figure out what the issue is. Then I though creating a new Identity Pool in a separate account.
I created one in our production account and it did not give me the same error. However, it showed only one certificate in the dropdown whereas there should have been a couple more:
At least, now I’m getting somewhere.
After scratching my head for a while, I realised that the certificate it list is from another region, us-east-1 (N. Virginia).
Then I headed back to the dev account and requested for a new certificate in the us-east-1 region. Boom! the new certificate appeared in the AWS managed certificate dropdown.
By boom, I mean once the certificate is issued, of cause.
Back to setup
I gladly selected the new certificate and gave an appropriate custom
domain name. It provided me with a link to a
CloudFront distribution. All I had
to do was create a
CNAME record that maps the custom domain name I
chose to the given CloudFront distribution
What was going on?
Cognito creates a set of UIs for login, logout, etc by default. It does that to get things up and running fast - thank you! Therefore, it creates a CloudFront distribution under the hood to host these pages.
Note: this distribution is not visible under your account.
As explained here in the documentation, CloudFront only works with certificates available in the US East region.
So, there you go…