Hey folks,
Trying to call an AWS Lambda function from a Genesys Cloud Architect Data Action. The flow hits the action, but I’m getting a 403 Forbidden. I’ve attached the IAM role ARN in the action settings, and the Lambda has a trigger for the role, but nothing works.
Here’s the error payload I’m seeing in the logs:
{
"error": "AccessDenied",
"message": "User: arn:aws:sts::123456:assumed-role/GC-Role is not authorized to perform: lambda:InvokeFunction"
}
Any ideas on the role policy?
Check the Lambda resource policy. The IAM role alone isn’t enough if the Lambda function doesn’t explicitly allow that specific ARN to invoke it. You need to add a permission statement to the function’s policy.
aws lambda add-permission \
--function-name your-lambda-name \
--statement-id GenesysCloudInvoke \
--action lambda:InvokeFunction \
--principal "arn:aws:iam::123456:role/GC-Role"
The 403 means the request reached AWS, but the function gatekeeper rejected it. Make sure the principal ARN matches exactly what you see in the Architect action logs.
{
"Statement": [
{
"Sid": "GenesysInvoke",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456:role/GC-Role"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:123456:function:your-lambda-name"
}
]
}
The IAM role binding is just half the handshake. The Lambda resource policy needs to explicitly trust that role. ’s CLI command works, but if you’re managing infrastructure via Terraform or CloudFormation, hardcoding that policy statement prevents drift.
Also double-check the region in the ARN. Architect Data Actions don’t care about your local AWS CLI default region. If the Lambda sits in us-east-1 but your ARN points to eu-west-1, you’ll get a 403. It’s a silent killer.
Verify the principal ARN matches exactly. No typos in the account ID. If you’re using a cross-account role, you might need to add a Condition block with StringEquals for aws:SourceAccount to lock it down tighter.