We’re trying to offload some heavy data transformation logic from Architect to an AWS Lambda function using a Genesys Cloud Data Action. The flow is straightforward: capture the interaction data, map it to the request body, and invoke the Lambda. We’ve set up the IAM role in AWS with the necessary permissions for lambda:InvokeFunction, and the trust policy explicitly allows apigateway.amazonaws.com to assume the role, which should cover the Genesys Cloud integration layer. However, every time the flow hits the Data Action step, it fails with a generic 403 Access Denied error in the Genesys Cloud logs. The JSON payload we’re sending looks correct, containing the expected fields like conversationId and customerEmail, but the Lambda never gets triggered. We’ve verified the ARN is correct and matches the region exactly.
Here’s the configuration we’re using in the Architect Data Action settings. The endpoint is configured as a POST request to the Lambda’s ARN. We’ve even tried adding a Content-Type: application/json header explicitly, though the docs suggest it’s optional for ARN invocations. The error response from Genesys is pretty sparse, just returning {"error": "Access Denied", "statusCode": 403}. We’ve checked the CloudWatch logs for the Lambda, and there are no entries at all, which suggests the request isn’t even making it to the AWS side. Is there a specific permission missing on the IAM role, or is there a known issue with how Genesys Cloud formats the invocation request for Lambda ARNs? We’re using the latest version of the Architect client and have double-checked the integration settings in the Genesys Cloud admin console. The Lambda function itself is public enough to be invoked by the API Gateway, but we’re not using API Gateway directly here, just the ARN. Any insights on what might be blocking this?