payload = {
"name": "inventory-check-lambda",
"type": "http",
"httpMethod": "POST",
"url": "https://lambda.us-east-1.amazonaws.com/2015-03-31/function-invocations/prod-inventory",
"auth": {
"type": "awsIam",
"roleArn": "arn:aws:iam::112233445566:role/genesys-lambda-executor"
}
}
Problem
The Python SDK script pushes this data action to /api/v2/architect/dataactions without any issues. Returns a clean 201. The actual execution inside Architect throws a 403 from AWS. The IAM role definitely exists in the console. Trust policy allows sts:AssumeRole for the Genesys principal, but the invocation still fails. We’ve got the token handling sorted out in the backend code. The data action just needs to hand off the AWS credentials properly through the platform proxy.
Error
{
"code": "AccessDeniedException",
"type": "User",
"message": "User: arn:aws:sts::112233445566:assumed-role/genesys-lambda-executor/gen-session is not authorized to perform: lambda:InvokeFunction"
}
The SDK update call works fine. Architect execution fails on every run. I tried adding lambda:InvokeFunction to the policy document. Trust relationship still blocks it. The Genesys documentation mentions an auth object for external integrations, but the Python SDK model DataActionAuth expects a specific structure. Passing the role ARN directly breaks the JSON schema validation.
Question
What is the correct JSON structure for the auth field when configuring IAM roles for Lambda invocations? The SDK throws a ValidationError on the roleArn key. We’ve been wrapping it inside a credentials object instead, but the endpoint keeps rejecting the payload format. The validation error points to line 14 of the model definition. It’s not clear what nested keys the platform actually expects. Left the script paused while I check the raw API docs.