We’re hitting a wall trying to invoke an AWS Lambda function from a Genesys Cloud Data Action. The goal is simple: pass the current contact’s trace context to the Lambda for enrichment, get the result back, and continue the flow. But the invocation keeps failing with a 403 Access Denied error.
I’ve set up the Data Action with the standard Lambda integration. The payload looks correct, and the Lambda is definitely public (or at least configured to accept requests from our IP, though I’m not sure if that matters for API Gateway vs direct invoke). Here’s the JSON payload we’re sending:
{
"functionName": "gc-enrichment-lambda",
"invokeMode": "SYNC",
"payload": {
"traceparent": "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01",
"contactId": "12345"
}
}
The error response from Genesys is straightforward:
{
"message": "Access Denied",
"statusCode": 403
}
I’m pretty sure this is an IAM role issue on the AWS side, but I’ve tried every combination I can think of. The Lambda’s execution role has the AWSLambdaBasicExecutionRole policy attached. I also tried adding a custom policy to allow lambda:InvokeFunction, but that didn’t change anything.
Is there a specific IAM policy required for the Lambda to accept invocations from a Data Action? Or is the issue on the Genesys side? I’ve checked the Data Action logs, and they show the request being sent successfully, so it’s not a timeout or network issue.
We’re using the latest version of the Lambda integration, and the function is in the us-east-1 region. Any help would be appreciated. We’re trying to keep the trace context alive, and this error is breaking the chain.