Trying to invoke an AWS Lambda function from a CXone Architect Data Action. The integration is set up as a Custom Integration with the correct endpoint. The issue is the HTTP 403 Forbidden response coming back from AWS.
The Data Action JSON looks like this:
{
"endpoint": "https://lambda.us-west-2.amazonaws.com/2015-03-31/function/my-test-lambda/invocations",
"method": "POST",
"headers": {
"Authorization": "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20231025/us-west-2/lambda/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=abcdef...",
"Content-Type": "application/json",
"X-Amz-Date": "20231025T120000Z"
},
"body": "{\"name\": \"test\"}"
}
The signature is generated server-side by our middleware before passing to Architect, but I suspect the IAM role attached to the Lambda doesn’t trust the CXone integration principal or the policy is too restrictive. The Lambda policy allows invocation from arn:aws:iam::123456789012:role/cxone-lambda-role.
The error response from AWS is:
{
"message": "User: arn:aws:iam::123456789012:user/cxone-integration is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:123456789012:function:my-test-lambda"
}
It seems like the signature is being rejected because the principal in the signature doesn’t match what AWS expects. I’ve checked the clock skew and it’s within limits. The region matches. The access key has the lambda:InvokeFunction permission attached via an inline policy.
What’s the correct IAM policy structure for allowing a CXone Data Action to invoke a Lambda? Do I need to add a resource-based policy to the Lambda itself? The documentation is vague on the exact ARN format for the principal.