We are attempting to invoke an AWS Lambda function from within a Genesys Cloud Architect flow using the Invoke Lambda Data Action. The goal is to process some call metadata asynchronously without blocking the customer’s line. The setup seems straightforward on the surface, but we are hitting a persistent 403 Forbidden error when the flow executes.
The Lambda function itself is accessible via the AWS console and triggers correctly when tested manually. The IAM role attached to the execution context has the lambda:InvokeFunction permission explicitly granted. Here is the policy statement we are using:
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:123456789:function:process-call-data"
}
The Data Action configuration in Architect points to the correct ARN. We are passing a simple JSON payload with the interaction ID. The error returned in the flow debug log is quite generic:
{
"errorCode": "403",
"message": "User: arn:aws:sts::123456789:assumed-role/genesys-bridge-role/lambda-exec is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-central-1:123456789:function:process-call-data"
}
We have verified that the trust relationship allows the assumed role to invoke the function. It’s possible there is a mismatch in the resource ARN format or perhaps a condition key we are missing. We’ve tried adding lambda:InvokeAsync as well, just in case, but that didn’t change the outcome. The region is definitely eu-central-1. Is there a specific format for the ARN in the Data Action that differs from the standard console format? We’ve checked the documentation but it’s vague on this point.