the IAM policy is definitely the missing piece here. the trust policy just says “who” can assume the role, but the inline policy says “what” they can do once assumed. if you only set the trust policy, Genesys can get the credentials, but AWS immediately rejects the actual Lambda call because the role itself doesn’t have permission to invoke functions.
you need to attach a policy like this to GenesysLambdaRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:us-east-1:123456789:function:YourFunctionName"
}
]
}
also, watch out for the region in the ARN. if your Lambda is in us-west-2 but your Data Action points to us-east-1, you’ll get a 403 or a 404 depending on how AWS resolves the cross-region call. the Data Action URL must match the Lambda’s region exactly.
another thing that trips people up is the external account configuration in Genesys. make sure the external account is set to “AWS” and you’re passing the correct Access Key and Secret Key. if you’re using IAM roles for service accounts (IRSA) or something similar, the signature might fail silently or throw a 403. for a simple Data Action, static keys in the external account usually work best until you get the flow stable.
i’ve also seen cases where the Lambda function itself has a resource policy that denies access from specific principals. double-check the Lambda’s resource-based policy in the AWS console. it should look something like this:
{
"Version": "2015-03-31",
"Id": "default",
"Statement": [
{
"Sid": "AllowGenesysInvoke",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:role/GenesysLambdaRole"
},
"Action": "lambda:InvokeFunction",
"Resource": "*"
}
]
}
if both the role policy and the Lambda resource policy are aligned, the 403 should disappear. check the CloudWatch logs for the Lambda function too, sometimes the error message in Genesys is misleading and the real issue is a timeout or a malformed request body.