We are seeing a persistent 403 Forbidden error when our Genesys Cloud Architect flow attempts to invoke an AWS Lambda function via a Data Action. The weird part is that the same IAM role works perfectly when tested manually in the AWS Console.
The error response from Architect looks like this:
{
"error": "Forbidden",
"error_description": "The resource owner or authorization server denied the request"
}
We’ve checked the following:
- The IAM role attached to the Lambda has
lambda:InvokeFunctionpermission. - The role’s trust policy allows
genesys.cloudto assume it (we are using the Genesys Cloud OAuth credentials as the source). - The Data Action is configured with the correct Region and Function ARN.
- Network ACLs and Security Groups allow outbound traffic from our VPC (where the Lambda runs) to the Genesys Cloud endpoints.
Is there a specific IAM policy statement required for the Genesys Cloud service principal to invoke the function? We have been using the standard arn:aws:iam::aws:policy/AWSLambdaBasicExecutionRole but that doesn’t seem to be enough for external invocation from Architect.