I’m hitting a wall with the InvokeLambda data action in Architect. The call returns a generic 403 Forbidden with the message The security token included in the request is invalid. in the error payload. I’ve verified the IAM role attached to the Genesys Cloud application has the lambda:InvokeFunction permission, and the trust policy explicitly allows genesys.cloud.amazonaws.com to assume the role.
Here’s the minimal test setup:
- Lambda function
test-gc-invocation(Node.js 18) inus-east-1. - IAM Role
gc-lambda-exec-rolewith Trust Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Wait, that’s for the Lambda execution role. The calling role needs to be assumed by Genesys. I added a second statement to the trust policy of the role Genesys uses:
{
"Effect": "Allow",
"Principal": {
"Service": "genesys.cloud.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
The Data Action configuration uses this role ARN. When I trigger the flow, the debug log shows:
{ "errorCode": "403", "message": "The security token included in the request is invalid.", "requestId": "abc-123" }
I’ve tried adding the lambda:InvokeFunction policy to the role, but it doesn’t even get to the policy evaluation stage if the signature is bad. Is there a specific region binding I’m missing? The Lambda is in us-east-1, but the Genesys org is in us-east-1 as well. No cross-region issues. Could it be the way the external integration is configured? I’m using the built-in AWS Lambda integration type, not a custom HTTP endpoint. Any ideas on what Genesys is signing with that AWS is rejecting?