Why does this setting result in a 403 Forbidden error when the Architect Data Action attempts to invoke the AWS Lambda function, despite the IAM role having full lambda:InvokeFunction permissions?
I am automating the deployment of Genesys Cloud Architect flows using the Python SDK and Terraform provider. The goal is to offload complex business logic to AWS Lambda. I have configured an IAM role with the necessary trust policy to allow lambda.amazonaws.com to assume it, and I have attached a policy granting lambda:InvokeFunction on the specific function ARN. However, when the Data Action executes within the flow, it fails immediately.
The Data Action configuration in the JSON payload looks like this:
{
"type": "lambda",
"configuration": {
"functionArn": "arn:aws:lambda:eu-west-2:123456789012:function:gc-automation-logic",
"roleArn": "arn:aws:iam::123456789012:role/gc-data-action-role",
"payload": "${json.stringify(inputs)}"
}
}
The error response from Genesys Cloud is:
{
"errors": [
{
"code": "forbidden",
"message": "Failed to invoke Lambda function: User: arn:aws:sts::123456789012:assumed-role/gc-data-action-role/i-0123456789abcdef0 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-west-2:123456789012:function:gc-automation-logic"
}
]
}
I have verified the role ARN matches exactly. The Python script used to validate permissions via boto3.client('iam').get_role(RoleName='gc-data-action-role') returns the correct policy attachment. I am using the latest version of the Terraform provider (genesys/gc). Is there a specific trust policy constraint required for Genesys Cloud’s service principal that differs from standard AWS Lambda triggers, or is this a known issue with how the Data Action service assumes roles in the eu-west-2 region?