403 Forbidden when invoking AWS Lambda from Genesys Cloud Architect Data Action

Architect & Flows
1

Running into a wall trying to invoke an AWS Lambda function directly from a Genesys Cloud Architect flow using a REST API data action. The setup seems straightforward on paper, but the invocation keeps failing with a 403 Forbidden error from the Lambda service itself, not Genesys.

Here is the current configuration:

  • Genesys Cloud Data Action: REST API, POST method.
  • Endpoint: https://lambda.us-west-2.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-west-2:123456789012:function:my-genesis-handler/invocations
  • Headers:
  • Content-Type: application/json
  • Authorization: Bearer <token> (I’ve tried leaving this blank, and also passing a dummy value, assuming Lambda auth handles the IAM role)
  • Body: { "key1": "value1", "queueId": "12345" }
  • AWS Side: The Lambda function exists in us-west-2. I’ve attached a basic IAM role to the Lambda execution role with lambda:InvokeFunction permissions.

The error response from AWS is:

{
 "message": "User: arn:aws:sts::123456789012:assumed-role/lambda-role/my-genesis-handler is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:123456789012:function:my-genesis-handler"
}

I’ve verified the ARN is correct. I’ve also tried adding a resource-based policy to the Lambda function to allow principal: * for testing, but the same 403 persists. It feels like the request from Genesys Cloud isn’t being authenticated correctly against AWS, or maybe the endpoint format is wrong for direct invocation.

Has anyone gotten this specific pattern working? I know I could route through a custom API gateway or a Node.js middleware, but I want to keep the latency low and avoid extra hops if possible. The docs for “Calling external APIs” are pretty generic about IAM roles.

Steps I’ve tried:

  1. Checked the Lambda IAM role policies. They include lambda:InvokeFunction.
  2. Added a resource-based policy to the Lambda function allowing * as principal. Still 403.
  3. Verified the region matches the Lambda function (us-west-2).
  4. Tried using the x-amzn-invocation-type: Event header to see if async invocation works differently. No change.
  5. Checked the Genesys Cloud data action logs. The request is sent, AWS responds with 403. Genesys treats it as a failed HTTP call.

Is there a specific header or signature required when calling Lambda directly from Genesys Cloud? Or is this pattern just not supported out of the box without an API Gateway layer?