I’m trying to propagate OpenTelemetry trace context from a Genesys Cloud Architect flow into an AWS Lambda via a Data Action call. The setup seems correct on the Architect side, but the Lambda invocation keeps failing with a 403 Forbidden. Here is the relevant IAM policy attached to the execution role:
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:123456789:function:otel-tracer"
}
The error response from the Data Action is just status: 403, message: User: arn:aws:sts::123456789:assumed-role/gc-lambda-role/i-0123456 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:123456789:function:otel-tracer. I’ve confirmed the ARN matches exactly. Is there a specific permission boundary or trust policy requirement I’m missing when calling Lambda from Genesys Cloud? The trace context injection works fine for HTTP endpoints, so I suspect it’s strictly an IAM issue. Just need to get the span started before the Lambda processes the data.