search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.7k stars 3.93k forks source link

api-gateway: Unable to create cross-partition Cognito User Pool Authorizer #31735

Open kastork opened 1 month ago

kastork commented 1 month ago

Describe the bug

I want to authenticate an api gateway rest api in us commercial cloud to a Cognito User Pool in us-gov cloud. When I try this, I get ProviderARNs need to be valid Cognito Userpools.

I know I can make my own token authorizer or request authorizer, but a user pool authorizer would be more convenient.

Regression Issue

Last Known Working CDK Version

No response

Expected Behavior

Authorizer is created

Current Behavior

Authorizer is not created, and CDK deployment fails with ProviderARNs need to be valid Cognito Userpools. Invalid ARNs- arn:aws-us-gov:cognito-idp:us-gov-west-1:...

Reproduction Steps

// cdk project running in us-west-2, for example

const userPool = UserPool.fromUserPoolArn(this,'eup', <govCloudUserPoolArn>)

const authorizer = new CognitoUserPoolsAuthorizer(this, 'apiauth', {
      cognitoUserPools: [
        userPool
      ],
    })

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.162.0 (build c8d7dd3)

Framework Version

No response

Node.js Version

v20.17.0

OS

macOS

Language

TypeScript

Language Version

5.6.2

Other information

No response

pahud commented 1 month ago

The error message

ProviderARNs need to be valid Cognito Userpools. Invalid ARNs- arn:aws-us-gov:cognito-idp:us-gov-west-1:..."

suggests that you are attempting to deploy CognitoUserPoolsAuthorizer in the us-west-2 region to work with an existing user pool in the AWS GovCloud. While the cdk synth command executed successfully, the CloudFormation deployment encountered an issue.

After reviewing the CDK source code, it appears that this error message originates from CloudFormation rather than CDK. It seems that CloudFormation might not support the configuration you're trying to implement.

To address this issue and identify the root cause, it is recommended that you reach out to AWS Premium Support. They can provide expert guidance and assistance in resolving this problem, as it may not be directly related to CDK but rather a limitation or configuration issue within CloudFormation.