diff --git a/authority/provisioner/collection.go b/authority/provisioner/collection.go
index d0525ad3..bfaeb25c 100644
--- a/authority/provisioner/collection.go
+++ b/authority/provisioner/collection.go
@@ -77,7 +77,7 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
 
 	// match with server audiences
 	if matchesAudience(claims.Audience, audiences) {
-		// Use fragment to get audiences (GCP)
+		// Use fragment to get audiences (GCP, AWS)
 		if fragment != "" {
 			return c.Load(fragment)
 		}
@@ -107,7 +107,7 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims)
 			return p, ok
 		}
 	}
-	// Fallback to aud (GCP)
+	// Fallback to aud
 	return c.Load(payload.Audience[0])
 }
 
@@ -124,9 +124,9 @@ func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool)
 			case TypeJWK:
 				return c.Load(string(provisioner.Name) + ":" + string(provisioner.CredentialID))
 			case TypeAWS:
-				return c.Load("aws:" + string(provisioner.Name))
+				return c.Load("aws/" + string(provisioner.Name))
 			case TypeGCP:
-				return c.Load("gcp:" + string(provisioner.Name))
+				return c.Load("gcp/" + string(provisioner.Name))
 			default:
 				return c.Load(string(provisioner.CredentialID))
 			}