diff --git a/deploy/stacks/cognito.py b/deploy/stacks/cognito.py
index 331604aa2..7e65ed6a3 100644
--- a/deploy/stacks/cognito.py
+++ b/deploy/stacks/cognito.py
@@ -160,8 +160,8 @@ def __init__(
 
         cross_account_frontend_config_role = iam.Role(
             self,
-            f'{resource_prefix}-{envname}-frontend-config-role',
-            role_name=f'{resource_prefix}-{envname}-frontend-config-role',
+            f'{resource_prefix}-{envname}-cognito-config-role',
+            role_name=f'{resource_prefix}-{envname}-cognito-config-role',
             assumed_by=iam.AccountPrincipal(tooling_account_id),
         )
         cross_account_frontend_config_role.add_to_policy(
diff --git a/deploy/stacks/pipeline.py b/deploy/stacks/pipeline.py
index d8504901e..51d9703db 100644
--- a/deploy/stacks/pipeline.py
+++ b/deploy/stacks/pipeline.py
@@ -893,7 +893,7 @@ def cognito_config_action(self, target_env):
                 f'export enable_cw_canaries={target_env.get("enable_cw_canaries", False)}',
                 'mkdir ~/.aws/ && touch ~/.aws/config',
                 'echo "[profile buildprofile]" > ~/.aws/config',
-                f'echo "role_arn = arn:aws:iam::{target_env["account"]}:role/{self.resource_prefix}-{target_env["envname"]}-frontend-config-role" >> ~/.aws/config',
+                f'echo "role_arn = arn:aws:iam::{target_env["account"]}:role/{self.resource_prefix}-{target_env["envname"]}-cognito-config-role" >> ~/.aws/config',
                 'echo "credential_source = EcsContainer" >> ~/.aws/config',
                 'aws sts get-caller-identity --profile buildprofile',
                 'export AWS_PROFILE=buildprofile',
@@ -906,6 +906,10 @@ def cognito_config_action(self, target_env):
         )
 
     def set_albfront_stage(self, target_env, repository_name):
+        if target_env.get('custom_auth', None) is None:
+            frontend_deployment_role_arn = f'arn:aws:iam::{target_env["account"]}:role/{self.resource_prefix}-{target_env["envname"]}-cognito-config-role'
+        else:
+            frontend_deployment_role_arn = f'arn:aws:iam::{target_env["account"]}:role/{self.resource_prefix}-{target_env["envname"]}-frontend-config-role'
         albfront_stage = self.pipeline.add_stage(
             AlbFrontStage(
                 self,
@@ -956,7 +960,7 @@ def set_albfront_stage(self, target_env, repository_name):
                         f'export custom_auth_claims_mapping_user_id={str(target_env.get("custom_auth", {}).get("claims_mapping", {}).get("user_id", "None"))}',
                         'mkdir ~/.aws/ && touch ~/.aws/config',
                         'echo "[profile buildprofile]" > ~/.aws/config',
-                        f'echo "role_arn = arn:aws:iam::{target_env["account"]}:role/{self.resource_prefix}-{target_env["envname"]}-frontend-config-role" >> ~/.aws/config',
+                        f'echo "role_arn = {frontend_deployment_role_arn}" >> ~/.aws/config',
                         'echo "credential_source = EcsContainer" >> ~/.aws/config',
                         'aws sts get-caller-identity --profile buildprofile',
                         'export AWS_PROFILE=buildprofile',