Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api-gateway: Unable to create cross-partition Cognito User Pool Authorizer #31735

Open
1 task
kastork opened this issue Oct 11, 2024 · 1 comment
Open
1 task

api-gateway: Unable to create cross-partition Cognito User Pool Authorizer #31735

kastork opened this issue Oct 11, 2024 · 1 comment
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. effort/medium Medium work item – several days of effort p3

Comments

@kastork
Copy link

kastork commented Oct 11, 2024

Describe the bug

I want to authenticate an api gateway rest api in us commercial cloud to a Cognito User Pool in us-gov cloud. When I try this, I get ProviderARNs need to be valid Cognito Userpools.

I know I can make my own token authorizer or request authorizer, but a user pool authorizer would be more convenient.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Authorizer is created

Current Behavior

Authorizer is not created, and CDK deployment fails with ProviderARNs need to be valid Cognito Userpools. Invalid ARNs- arn:aws-us-gov:cognito-idp:us-gov-west-1:...

Reproduction Steps

// cdk project running in us-west-2, for example

const userPool = UserPool.fromUserPoolArn(this,'eup', <govCloudUserPoolArn>)

const authorizer = new CognitoUserPoolsAuthorizer(this, 'apiauth', {
      cognitoUserPools: [
        userPool
      ],
    })

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.162.0 (build c8d7dd3)

Framework Version

No response

Node.js Version

v20.17.0

OS

macOS

Language

TypeScript

Language Version

5.6.2

Other information

No response
@kastork kastork added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 11, 2024
@github-actions github-actions bot added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Oct 11, 2024
@pahud
Copy link
Contributor

pahud commented Oct 13, 2024

The error message

ProviderARNs need to be valid Cognito Userpools. Invalid ARNs- arn:aws-us-gov:cognito-idp:us-gov-west-1:..."

suggests that you are attempting to deploy CognitoUserPoolsAuthorizer in the us-west-2 region to work with an existing user pool in the AWS GovCloud. While the cdk synth command executed successfully, the CloudFormation deployment encountered an issue.

After reviewing the CDK source code, it appears that this error message originates from CloudFormation rather than CDK. It seems that CloudFormation might not support the configuration you're trying to implement.

To address this issue and identify the root cause, it is recommended that you reach out to AWS Premium Support. They can provide expert guidance and assistance in resolving this problem, as it may not be directly related to CDK but rather a limitation or configuration issue within CloudFormation.

@pahud pahud added effort/medium Medium work item – several days of effort p3 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 13, 2024
@github-actions github-actions bot mentioned this issue Nov 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kastork @pahud