AWS Cognito custom domain fails to create — "Invalid request provided: AWS::Cognito::UserPoolDomain"
14:19 29 Nov 2025

I'm creating an Amazon Cognito user pool with a custom user pool domain using AWS CDK.

My setup:

  • A parent domain (mycompany.app)

  • A delegated subdomain (education.mycompany.app) created as a separate delegated Route 53 public hosted zone

  • In CDK I create:

    • The user pool

    • A SAML provider

    • A user pool client

    • A certificate in us-east-1 using DnsValidatedCertificate

    • Then a UserPoolDomain configured with that certificate (auth.education.mycompany.app)

Everything deploys fine until I add the UserPoolDomain. At that point the deployment fails with:

Resource handler returned message: "Invalid request provided: AWS::Cognito::UserPoolDomain"

Running:

aws cognito-idp describe-user-pool-domain \
  --domain auth.education.hairtracker.app

returns:

{}

So the domain is not already in use and never gets created.

I verified:

  • DNS delegation is correct

  • The (ACM) certificate is valid (correct CN, no SANs)

  • Certificate is in us-east-1

  • No pre-existing Cognito custom domain

  • Works fine in other zones

amazon-web-services amazon-cognito