diff --git a/pkg/cmd/provisioning/aws/create_identity_provider.go b/pkg/cmd/provisioning/aws/create_identity_provider.go
index 7679794e4..b6314da2c 100644
--- a/pkg/cmd/provisioning/aws/create_identity_provider.go
+++ b/pkg/cmd/provisioning/aws/create_identity_provider.go
@@ -15,6 +15,7 @@ import (
 
 	awssdk "github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
+	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/service/cloudfront"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/s3"
@@ -208,7 +209,7 @@ var (
 					"s3:GetObject"
 				],
 				"Resource": [
-					"arn:aws:s3:::%s/*"
+					"arn:%s:s3:::%s/*"
 				]
 			}
 		]
@@ -657,9 +658,13 @@ func createOIDCEndpoint(client aws.Client, bucketName, name, region, targetDir s
 					return "", errors.Wrapf(err, "failed to allow public access for the bucket %s", bucketName)
 				}
 
+				partition, found := endpoints.PartitionForRegion([]endpoints.Partition{endpoints.AwsPartition(), endpoints.AwsCnPartition(), endpoints.AwsUsGovPartition()}, region)
+				if !found {
+					return "", fmt.Errorf("could not find AWS partition for provided region %s", region)
+				}
 				_, err = client.PutBucketPolicy(&s3.PutBucketPolicyInput{
 					Bucket: awssdk.String(bucketName),
-					Policy: awssdk.String(fmt.Sprintf(readOnlyAnonUserPolicyTemplate, bucketName)),
+					Policy: awssdk.String(fmt.Sprintf(readOnlyAnonUserPolicyTemplate, partition.ID(), bucketName)),
 				})
 				if err != nil {
 					return "", errors.Wrapf(err, "failed to apply public access policy to the bucket %s", bucketName)
diff --git a/pkg/cmd/provisioning/aws/create_identity_provider_test.go b/pkg/cmd/provisioning/aws/create_identity_provider_test.go
index 3b2214415..2cb1939ae 100644
--- a/pkg/cmd/provisioning/aws/create_identity_provider_test.go
+++ b/pkg/cmd/provisioning/aws/create_identity_provider_test.go
@@ -11,6 +11,7 @@ import (
 	"testing"
 
 	awssdk "github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/service/cloudfront"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/s3"
@@ -342,3 +343,34 @@ func mockPutBucketPolicy(mockAWSClient *mockaws.MockClient) {
 	mockAWSClient.EXPECT().PutBucketPolicy(gomock.Any()).Return(
 		&s3.PutBucketPolicyOutput{}, nil).AnyTimes()
 }
+
+func TestDeterminePartitionForRegion(t *testing.T) {
+	tests := []struct {
+		region string
+	}{
+		{
+			region: "us-east-1",
+		},
+		{
+			region: "us-west-1",
+		},
+		{
+			region: "us-gov-east-1",
+		},
+		{
+			region: "us-gov-west-1",
+		},
+		{
+			region: "cn-north-1",
+		},
+		{
+			region: "cn-northwest-1",
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.region, func(t *testing.T) {
+			_, found := endpoints.PartitionForRegion([]endpoints.Partition{endpoints.AwsPartition(), endpoints.AwsCnPartition(), endpoints.AwsUsGovPartition()}, test.region)
+			require.True(t, found, "expected to find partition for region")
+		})
+	}
+}