Architect Data Action Lambda 403: IAM role trust policy issue

Trying to invoke a Lambda from an Architect Data Action. Getting a 403 Access Denied error. The Lambda logs show the role is assumed, but permissions seem off. Here’s the trust policy I’m using. Is the principal correct for Genesys?

{
“Effect”: “Allow”,
“Principal”: {
“Service”: “architect.genesys.cloud”
},
“Action”: “sts:AssumeRole”
}

The execution role has lambda:InvokeFunction attached. What am I missing?

Are you using a pure CloudFormation stack or the Genesys Cloud AWS integration? The principal needs to be the specific AWS account ID from the integration, not a generic service name. Check your AWS console under IAM roles to see the exact external ID.