AWS::Cognito::UserPool - GetAtt returns incorrect partition for Arn in GovCloud

[cmckni3]

I created a stack in us-gov-west-1 and the Arn returned has the partition specified as aws instead of aws-us-gov.

Expected behavior

Arn returned via GetAtt should be valid.

Suggest specific test cases

What I see in outputs and cross stack references (which fail!): arn:aws:cognito-idp:us-gov-west-1:{AccountId}:userpool/us-gov-west-1_{UserPoolId}

Description: Reproduces CloudFormation bug where Cognito UserPool Arn is incorrect
Resources:
  IdentityCognitoUserPool:
    Type: 'AWS::Cognito::UserPool'
    Properties:
      AutoVerifiedAttributes:
        - email
      UsernameAttributes:
        - email
      UsernameConfiguration:
        CaseSensitive: false
Outputs:
  CognitoUserPoolArn:
    Value: !GetAtt 
      - IdentityCognitoUserPool
      - Arn
  CognitoUserPoolID:
    Value: !Ref IdentityCognitoUserPool

Category (required) - Will help with tagging and be easier to find by other users to +1

Use the categories as displayed in the AWS Management Console (simplified):

8. Security (IAM, KMS...)

[sky-c]

Ran into a similar issue and commented on https://github.com/aws/aws-cdk/issues/12500 thinking it was related. Presently can't use CDK to deploy an API with a Cognito authorizer to GovCloud.

[cmckni3]

Ran into a similar issue and commented on aws/aws-cdk#12500 thinking it was related. Presently can't use CDK to deploy an API with a Cognito authorizer to GovCloud.

I worked around it by using CFN pseudo parameters and CFN functions.

There's also an issue with the IAM policy conditions for the identity pool #198

Have been running Cognito and application in GovCloud since July 2020.

[gamma425]

@WaelA any updates? handy-wavy ETA?

[pb0101]

Thank you for submitting this issue. We have addressed this issue in our CloudFormation templates so GovCloud user pools should now return the correct ARN.