aws cognito-idp create-identity-provider refuses custom AttributeMapping #9729
Description
Describe the bug
An custom AttributeMapping key containing (like :custom:foo) that can be configured via the web console are rejected when executing aws cognito-idp create-identity-provider.
❯ aws cognito-idp create-identity-provider --profile xxx --cli-input-json file://./foo-bar-idp.json
An error occurred (InvalidParameterException) when calling the CreateIdentityProvider operation: AttributeMapping contains invalid mapping: [custom:zen_groups]./foo-bar-idp.json:
{
"UserPoolId": "ap-northeast-1_xxx",
"ProviderName": "FooBar",
"ProviderType": "OIDC",
"ProviderDetails": {...snip...},
"AttributeMapping": {
"custom:foo": "https://example.com/foo"
},
"IdpIdentifiers": []
}Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
The key for the custom AttributeMapping containing colons can be configured in aws cognito-idp create-identity-provider.
Current Behavior
That key cannot be configured.
Reproduction Steps
Specify an custom AttributeMapping with keys containing colons, such as custom:foo, as an argument to create-identity-provider.
Possible Solution
There seems to be an issue with the API-side validation provided by cognito-idp, so it might not be fixable through aws/aws-cli's fixture.
Additional Information/Context
I read:
CreateIdentityProvider: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateIdentityProvider.htmlcreate-identity-provider: https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/create-identity-provider.html
Exactly same issue in Terraform:
- https://discuss.hashicorp.com/t/unable-to-create-aws-cognito-identity-provider-with-custom-attributes/75201
- aws_cognito_user does not allow for developer only custom attributes to be set hashicorp/terraform-provider-aws#26704
CLI version used
aws-cli/2.30.1 Python/3.13.7 Darwin/24.6.0 source/arm64
Environment details (OS name and version, etc.)
macOS 15.6.1