Issue
We are attempting to integrate a Genesys Cloud Architect flow with an AWS Lambda function to process custom routing logic. The flow uses a Data Action configured to call the Lambda via an HTTP POST request. The Lambda is deployed in eu-central-1 and is intended to be invoked by Genesys Cloud’s integration service.
Configuration
The IAM role attached to the Lambda function has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:123456789012:function:GenesysRouter",
"Principal": {
"Service": "events.amazonaws.com"
}
}
]
}
The Data Action in Architect is configured with the following URL:
https://lambda.eu-central-1.amazonaws.com/2015-03-31/functions/GenesysRouter/invocations
Headers include:
Content-Type: application/jsonAuthorization: Bearer <ACCESS_KEY>(using AWS Signature Version 4 signing in the request body)
Error
The Lambda invocation fails with a 403 Forbidden response. The response body is:
{
"message": "User: arn:aws:sts::123456789012:assumed-role/LambdaExecutionRole/i-0abc123def456789 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-central-1:123456789012:function:GenesysRouter"
}
Question
The IAM policy seems correct, but the error suggests the assumed role is not authorized. We have verified that the Lambda function is public and the ARN is correct. Could there be an issue with how the IAM role is assumed or the way the Data Action is signing the request? Any insights on the correct IAM configuration for Genesys Cloud to invoke a Lambda function directly would be appreciated.