Python Lambda choking on GC EventBridge voice analytics payload during Data Actions CRM lookup

We’ve got an EventBridge rule catching those voice analytics events from Genesys Cloud, and the Python handler is supposed to pull the sentiment score, hit the Data Actions API for a quick CRM enrichment, then dump the whole thing into DynamoDB. The routing works fine until the enrichment step. I’m building the request like this: headers = {"Authorization": f"Bearer {access_token}", "Content-Type": "application/json"} and payload = {"dataActionId": "crm-lookup-928", "input": {"phone": event["detail"]["phone"]["number"]}}. When the Lambda fires, it keeps returning a 403 on the POST to /api/v2/data/actions/{dataActionId}/execute. The docs say it needs data:data-actions:execute, but the token I’m generating via client credentials definitely has that scope attached. I’m verifying the token payload in a local debug script and the scope list looks correct. Maybe the Data Actions endpoint is rejecting the nested input structure? I’ve tried flattening it to just {"phone": "+1555..."} but that throws a 400 instead. The sentiment extraction part is straightforward, just grabbing event["detail"]["sentiment"]["score"], but the CRM call keeps timing out after 15 seconds. I’m using requests.post with a 10 second timeout, and the response body just says {"code":"forbidden","message":"Unauthorized"}. I’m wondering if the EventBridge event structure changed recently because the detail key sometimes contains a wrapped analytics object that shifts the phone number path. I added a fallback parser to check event.get("detail", {}).get("phone", {}).get("number") but the 403 still hits. Is there a specific header I’m missing for cross-service calls from Lambda to the GC API, or does the data action execution require a different grant type? The Sidekiq workers back in Rails handle these lookups fine with the same token, so it’s not the credential rotation. The timeout keeps blowing past the handler limit and I haven’t figured out why the signature validation passes locally but fails in the cold start environment.

Cause: PureCloudPlatformClientV2 manages the OAuth lifecycle at the class instantiation level, so manual header injection failed during testing because the session state doesn’t persist on lambda cold starts.
Solution: Switch to the genesys-cloud-python-sdk data action client, since api_instance.execute_data_action(data_action_id, input_obj) handles the payload schema validation automatically.