Unable to create aws_cognito_identity_provider with custom attributes

jneumann90 · May 27, 2025, 3:31pm

Hi all,

I am trying to create a aws_cognito_identity_provider-resource using the following code:

resource “aws_cognito_identity_provider” “this” {
user_pool_id = aws_cognito_user_pool.this.id
provider_name = oidc_provider
provider_type = var.identity_provider_type

provider_details = {
attributes_request_method = var.identity_provider_attributes_request_method
attributes_url_add_attributes = var.identity_provider_attributes_url_add_attributes
authorize_scopes = var.identity_provider_authorize_scopes
client_id = data.aws_ssm_parameter.idp_client_id.value
client_secret = data.aws_ssm_parameter.idp_client_secret.value
oidc_issuer = data.aws_ssm_parameter.idp_oidc_issuer.value
}

attribute_mapping = var.identity_provider_attribute_mapping
}

With:

variable “identity_provider_attribute_mapping” {
description = “Attribute mapping for the identity provider”
type = map(string)
default = {
“custom:groups” = “groups”
“email” = “email”
“name” = “name”
“preferred_username” = “preferred_username”
“username” = “sub”
}
}

While turning the debug-log I can see http.request.body for the request to aws-api looks like this:

{
“AttributeMapping”: {
“preferred_username”: “preferred_username”,
“custom:groups": "groups”,
“username”: “sub”,
“email”: “email”,
“name”: “name”
},
“ProviderName”: “some-name”,
“UserPoolId”: “some-pool”
}

I get the error:

…InvalidParameterException: AttributeMapping contains invalid mapping: [custom:groups]
│
│ with module.mapreduce.module.cognito.aws_cognito_identity_provider.this,
│ on .terraform/modules/mapreduce.cognito/main.tf line 10, in resource “aws_cognito_identity_provider” “this”:
│ 10: resource “aws_cognito_identity_provider” “this” {

Looking into Request in CloudTrail:

"errorMessage": "AttributeMapping contains invalid mapping: [custom:groups]",
31 "requestParameters": {
32 "userPoolId": "XXX",
33 "providerName": "XXX",
34 "providerType": "OIDC",
35 "providerDetails": {
36 "authorize_scopes": "openid email profile",
37 "client_secret": "XXX",
38 "attributes_url_add_attributes": "false",
39 "attributes_request_method": "GET",
40 "client_id": "XXX",
41 "oidc_issuer": "https://login.microsoftonline.com/XXX/v2.0"
42 },
43 "attributeMapping": {
44 "name": "name",
45 "preferred_username": "preferred_username",
46 "custom:groups": "groups",
47 "email": "email",
48 "username": "sub"
49 }
50 },

I don’t get where the square brackets are being added, but they seem to the problem here. I’ve also tried different types adding and escaping “custom:groups”: “groups” with no luck.

I tried using the latest stalbe aws-provider in version 5.98.0.

Any ideas on that?

PS: Someone else Palready had a similar issue:

acwwat · June 12, 2025, 3:52am

FYI this might be similar to the following long-standing issue that has yet to be resolved:

github.com/hashicorp/terraform-provider-aws

aws_cognito_user does not allow for developer only custom attributes to be set

opened 12:48PM - 08 Sep 22 UTC

derekmwright

bug service/cognitoidp

### Community Note * Please vote on this issue by adding a 👍 [reaction](https…://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request * Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request * If you are interested in working on this issue or have submitted a pull request, please leave a comment ### Terraform CLI and Terraform AWS Provider Version Terraform v1.2.8 on windows_amd64 + provider registry.terraform.io/hashicorp/aws v4.29.0 ### Affected Resource(s) * aws_cognito_user ### Terraform Configuration Files Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation. ```hcl resource "aws_cognito_user" "bob" { user_pool_id = aws_cognito_user_pool.site.id username = "bob@example.com" attributes = { email = "bob@example.com" email_verified = true "dev:custom:tenant_id" = "00000000-0000-0000-0000-000000000000" } } ``` ### Debug Output ### Panic Output ### Expected Behavior Resource should have created with the provided attribute prefixes ### Actual Behavior Terraform only checks for `custom:` prefix and appends `custom:` to `dev:custom:` creating `custom:dev:custom:` ```sh ╷ │ Error: error creating Cognito User (us-east-1/bob@example.com): InvalidParameterException: Attributes did not conform to the schema: custom:dev:custom:tenant_id: Attribute does not exist in the schema. │ │ │ with aws_cognito_user.bob, │ on cognito.tf line 241, in resource "aws_cognito_user" "bob": │ 241: resource "aws_cognito_user" "bob" { │ ╵ ``` ### Steps to Reproduce Create a cognito user with a developer only custom attribute 1. `terraform apply` ### Important Factoids ### References Will submit an PR shortly

Perhaps the AWS CC Provider’s awscc_cognito_user_pool_identity_provider resource would work better at handling attribute names with colons.

Topic		Replies	Views
AWS Cognito Error AWS	1	73	November 5, 2024
Use Cognito User Pools as default Identity Provider Terraform	0	609	August 11, 2021
How to do dynamic block defines? AWS	2	367	June 18, 2023
SignInWithApple cognito_identity_provider configuration Terraform	2	2137	December 18, 2020
Sensitive data inside attribute map Terraform	2	437	August 30, 2019

Unable to create aws_cognito_identity_provider with custom attributes

Related topics