Having some config trouble here as expected when attempting to register a new BYOC trunk via the Genesys Cloud API. The initial trunk creation succeeds, but the subsequent registration step fails immediately.
The environment is a multi-tenant setup with strict network policies. We are using an Architect flow to orchestrate the registration process, which triggers a Data Action to call our internal ServiceNow instance for approval logging before sending the final registration payload to the POST /api/v2/telephony/providers/edges/trunks/{trunkId}/register endpoint.
Error Message: 403 Forbidden - “The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.”
The issue appears to be related to the HMAC-SHA256 signature generation within the webhook payload transformation. The ServiceNow integration is correctly receiving the initial request, but when the Data Action attempts to append the X-Genesys-Request-Signature header, the timestamp drift between the Genesys Cloud edge node and our internal API gateway is causing the signature to expire before validation.
We have verified the clock synchronization via NTP on both the Genesys Cloud side (using the provided public NTP servers) and our internal infrastructure. The skew is less than 50ms, which should be well within the acceptable tolerance for AWS Signature Version 4. However, the 403 response persists.
The webhook payload includes the canonicalRequest and stringToSign for debugging purposes. When we manually replicate the signing process using the exact same secret key and timestamp from the failed request, the signature matches locally. This suggests a potential issue with how the Genesys Cloud Data Action handles the Date header in the signing process or a regional endpoint mismatch in the signature calculation.
Has anyone encountered similar signature mismatches when integrating BYOC trunk registration with external ticketing systems via Data Actions? Specifically, looking for insights on whether the X-Genesys-Request-Signature generation logic differs between standard webhooks and Data Action HTTP requests.