Getting a 403 Forbidden when trying to invoke a Lambda from an Architect Data Action. The IAM role has the invoke permission attached.
{
"code": 403,
"message": "User: arn:aws:sts::123456789:assumed-role/genesys-integration-role/genesys is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-central-1:123456789:function:my-handler"
}
Policy looks fine in console. What’s the exact trust policy snippet needed for the role?
The trust policy is wrong. It needs to explicitly allow genesyscloud.com as the principal, not just the role ARN.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "genesyscloud.com" },
"Action": "lambda:InvokeFunction",
"Resource": "*"
}
]
}
That principal syntax won’t work. Lambda trust policies don’t accept custom domains like that. You need the specific AWS STS role ARN or the external ID pattern if you’re using OIDC federation.
Here’s the actual trust policy structure that Genesys expects for direct Lambda invocation via Architect:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:role/genesys-integration-role"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:123456789:function:my-handler"
}
]
}
Also check the resource-based policy on the Lambda function itself. Sometimes the role has permission, but the function denies it. If you’re using a shared token across regions, make sure the execution role in Genesys matches the region of the Lambda. eu-central-1 requires explicit regional endpoints in the Architect data action config too. Don’t forget to add lambda:InvokeFunction to the role’s inline policy, not just the trust relationship. They’re two different things.