Setting up a Custom Domain for AWS Cognito with Google Identity Provider

This guide explains how to configure a custom domain for AWS Cognito when using Google as an Identity Provider, allowing you to replace the default Cognito domain with your own branded domain. Prerequisites An AWS account with Cognito user pool configured A domain name you control with access to DNS settings Google configured as an Identity Provider Configuration Steps

1. Certificate Setup Important: The SSL certificate must be in the us-east-1 region, regardless of where your Cognito user pool is located. Ensure you have a wildcard certificate (*.yourdomain.com) or specific domain certificate in AWS Certificate Manager in us-east-1 The certificate must be validated and in "Issued" status

2. Create Custom Domain in Cognito Navigate to your Cognito User Pool in AWS Console Go to "Domain" on the left hand options Under "Actions", choose "Create custom domain" Enter your desired domain (e.g., auth.yourdomain.com) Select the certificate you created in us-east-1 Save the changes

3. Update DNS Records After creating the custom domain, Cognito will provide you with a target domain name. You need to: Go to your DNS provider (e.g., Route 53) Create a CNAME record using your custom domain as the host and the Cognito-provided "alias target" domain as the value. The target domain will be a cloudfront url located on the domain page. Once a custom domain is created you'll see the custom domain and an "alias target".

4. Update Application Configuration Update your application's configuration to use the new custom domain. For example, if you have an environment variable for the Cognito domain: Change COGNITO_DOMAIN from the default (e.g., xxxxx.auth..amazoncognito.com ) Set it to your new custom domain (e.g., auth.yourdomain.com ) Verification After configuration is complete: Wait for DNS propagation (can take up to 15 minutes) Test the authentication flow to ensure the custom domain appears instead of the default Cognito domain Verify that Google sign-in shows your custom domain in the authentication page Note: Domain status in Cognito should show as "Active" before testing. If it remains in "In Progress" status for an extended period, verify your DNS configuration.