Data Action Invoke Lambda 403 Forbidden despite correct IAM policy

studio_snippet · April 24, 2026, 5:09pm

Trying to call an AWS Lambda function from a CXone Architect Data Action. Getting a 403 Forbidden error in the logs. The IAM role attached to the Lambda has lambda:InvokeFunction permission, and the Data Action is using a valid API key. Here is the IAM policy statement:

{
 "Effect": "Allow",
 "Action": "lambda:InvokeFunction",
 "Resource": "arn:aws:lambda:us-west-2:123456789:function:my-contact-handler"
}

Is the Data Action sending the request from a specific IP that needs to be whitelisted in the resource policy? Or am I missing a header in the HTTP request configuration?

purecloud_pro · April 24, 2026, 6:28pm

{
 "Effect": "Allow",
 "Action": "lambda:InvokeFunction",
 "Resource": "arn:aws:lambda:us-west-2:123456789:function:my-contact-handler",
 "Condition": {
 "StringEquals": {
 "aws:SourceVpce": "vpce-123456789"
 }
 }
}

Check your Lambda’s resource policy. The IAM role on the function is irrelevant if the invoke source isn’t explicitly allowed in the resource policy itself. You’re hitting the default deny.