According to AWS document [1], the linked commercial account of GovCloud is required for CloudFront resource creation, instead of GovCloud account itself

Which will cause the following errors:
* While deleting STS resource
Delete reports the following error but resources deleted successfully
2023/05/15 02:23:29 failed to fetch a list of CloudFront distributions: RequestError: send request failed
caused by: Get "https://cloudfront.us-gov-west-1.amazonaws.com/2020-05-31/distribution": dial tcp: lookup cloudfront.us-gov-west-1.amazonaws.com on 10.11.5.19:53: no such host
2023/05/15 02:23:50 failed to fetch a list of CloudFront origin access identities: RequestError: send request failed
caused by: Get "https://cloudfront.us-gov-west-1.amazonaws.com/2020-05-31/origin-access-identity/cloudfront": dial tcp: lookup cloudfront.us-gov-west-1.amazonaws.com on 10.11.5.19:53: no such host

* While creating STS resource with --create-private-s3-bucket option
2023/05/15 02:29:06 Generating RSA keypair
2023/05/15 02:29:09 Writing private key to aws-gov2/serviceaccount-signer.private
2023/05/15 02:29:09 Writing public key to aws-gov2/serviceaccount-signer.public
2023/05/15 02:29:09 Copying signing key for use by installer
2023/05/15 02:29:15 Bucket js-awsgov2-oidc created
2023/05/15 02:29:35 Failed to create Identity provider: failed to create CloudFront origin access identity: RequestError: send request failed
caused by: Post "https://cloudfront.us-gov-west-1.amazonaws.com/2020-05-31/origin-access-identity/cloudfront": dial tcp: lookup cloudfront.us-gov-west-1.amazonaws.com on 10.11.5.19:53: no such host



[1] https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-credentials.html


 

4.14.0-0.nightly-2023-05-12-121801
 

Always
 

1. 1. Run command ./ccoctl aws create-all --name=<sts-name> --create-private-s3-bucket --region=us-gov-west-1 --credentials-requests-dir=./credrequests-aws --output-dir aws-gov2 on GovCloud regions
2.
3.

Failed to create Identity provider
 

Create resources successfully.