Looking for some advice on troubleshooting this permissions issue. i’ve got an Architect flow that needs to trigger an AWS Lambda function via a Data Action. The Lambda works fine when i test it manually or hit it from Postman, but the Data Action in Genesys keeps failing.
here’s the setup:
- Genesys Cloud Org in US-East-1
- AWS Lambda in ap-southeast-2 (Sydney)
- Data Action configured as POST to the Lambda Invoke URL
- Payload is minimal JSON: {“userId”: “12345”}
the error i’m seeing in the Architect trace is:
{
"status": 403,
"code": "ForbiddenException",
"message": "User: arn:aws:sts::123456789012:assumed-role/GenesysIntegrationRole/lambda is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:ap-southeast-2:123456789012:function:myFunc"
}
i’ve attached the IAM role policy to the execution role, and it looks correct:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:ap-southeast-2:123456789012:function:myFunc"
}
]
}
i’m using a service account token in the Data Action for auth, but i don’t think that’s the issue since the 403 comes from AWS, not Genesys. is there a specific header i need to send? or maybe the AssumeRole policy is wrong? i’ve tried adding a resource condition but that didn’t help. anyone run into this?