502 Bad Gateway
We are attempting to invoke an AWS Lambda function from a Genesys Cloud Architect flow using a POST Data Action. The integration is failing at the platform level, returning a 502 error, even though direct invocation of the Lambda via the AWS Console succeeds with the same payload.
The IAM role attached to the Lambda function has the following policy, which explicitly allows the Genesys Cloud IP ranges (verified via AWS CloudTrail logs showing the request source):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:gc-integration-handler",
"Condition": {
"IpAddress": {
"aws:SourceIp": ["52.30.100.0/24"]
}
}
}
]
}
The Data Action configuration in Architect uses the following JSON body:
{
"endpoint": "https://lambda.us-east-1.amazonaws.com/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:gc-integration-handler/invocations",
"method": "POST",
"headers": {
"Content-Type": "application/json",
"X-Amz-Target": "AWSLambda.Invoke"
},
"body": {
"phoneNumber": "${contact.phoneNumber}",
"timestamp": "${contact.timestamp}"
}
}
We have confirmed that the Lambda function itself is healthy and returns a 200 OK with a valid JSON response when tested manually. The issue appears to be strictly within the IAM trust relationship or the way Genesys Cloud signs the request. We are not using an API Gateway; we are invoking Lambda directly.
Is there a specific IAM policy requirement for the Genesys Cloud service principal that we are missing? Or is the X-Amz-Target header being stripped or malformed by the Architect runtime before transmission? We need to understand if the 502 is originating from AWS rejecting the signature or Genesys failing to process the upstream response.