Create IAM resources to invoke an AWS Lambda function


Note: This article applies to the AWS Lambda data actions integration.

To access AWS Lambda functions, Genesys Cloud must have permission to use resources in your Amazon Web Services (AWS) account. This procedure explains how to create a policy, create an IAM role in AWS, and attach this role to the policy. Later you assign this role to the AWS Lambda data actions integration in Genesys Cloud.

Note: AWS Identity and Access Management (IAM) is a web service that controls access to AWS resources. An IAM role is similar to a user, because it defines an AWS identity with permission policies that determine what the identity can and cannot do in AWS. Trusted identities, including applications such as Genesys Cloud, AWS services such as EC2, or an end user, assume the IAM role. Each IAM role defines necessary permissions to make AWS service requests. For more information, see IAM Roles in Amazon’s AWS Identity and Access Management User Guide.

To create a policy, create an IAM role, and attach this role to the policy, follow these steps:

  1. Log in to AWS.
  2. Navigate to the AWS Services page.
  3. Retrieve the ARN on the AWS Lambda function that you want Genesys Cloud to invoke.
    Note: This AWS Lambda function must exist in the same AWS region as your Genesys Cloud organization. For more information, see AWS regions for Genesys Cloud deployment.
    1. Click Lambda.
    2. Select the AWS Lambda function that you want to invoke.
    3. Copy the ARN for the AWS Lambda function. You use this ARN on a policy that you create.
  4. Click IAM.
  5. Create a policy. Policies specify what resources roles can act on and how roles can act on the resources.
    1. Under Dashboard, select Policies.
    2. Click Create policy
    3. On the Visual editor tab, configure the following items:
      1. Under Service, click Choose a service and click Lambda. This setting specifies what service the policy calls.
      2. Under Actions and Access level, click the arrow next to Write and select the invokeFunction check box. This setting specifies what actions the policy grants to the AWS Lambda function.
      3. Under Resources, select Specific and click Add ARN. Paste the ARN that you copied from the AWS Lambda function in step 3. This setting specifies to which AWS Lambda function the policy grants the invoke permission.
    4. Click Review policy.
    5. In the Name box, type a name for the policy. 
    6. Click Create policy.
  6. Create a role that uses this policy.
    1. Under Dashboard, click Roles.
    2. On the Roles page, click Create role.
    3. Select Another AWS Account as the type of trusted entity.
    4. In the Account ID box, enter 765628985471. This number is Genesys Cloud’s production AWS account ID. 
    5. Select the Require external ID check box and enter your Genesys Cloud organization ID.
    6. Click Next: Permissions.
  7. Attach permission policies to this role.
    1. Select the policy that you created.
    2. Click Next: Review.
    3. In the Role name box, type a name for the role.
    4. In the Role description box, enter descriptive text about the role.
    5. Verify that the account number for Trusted entities matches the Genesys Cloud production AWS account ID that you entered earlier.
    6. Click Create role.
    7. Click the name of the role that you created. Summary details about the role appear.
    8. If you want more than one Genesys Cloud organization to be able to invoke the AWS Lambda function, then add multiple Genesys Cloud organization IDs to the JSON.
      1. Click Trust relationships.
      2. Click Edit trust relationship.
      3. Under sts:ExternalId, add additional Genesys Cloud organization IDs. See the following example.
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::765628985471:root"
              },
              "Action": "sts:AssumeRole",
              "Condition": {
                "StringLike": {
                  "sts:ExternalId": [
                    "91cf9239-f549-465b-8cad-9b46f1420818",
                    "90b7f8c9-790e-43f9-ad67-92b61365a4d0"
                  ]
                }
              }
            }
          ]
        }
        	
      4. Click Update Trust Policy.
    9. Copy the Role ARN by clicking the Copy icon to the right of Role ARN. You use this Role ARN for your credentials when you add an AWS Lambda data action integration in Genesys Cloud.

Next, add an AWS Lambda data actions integration.

For more information about the integration, see About the AWS Lambda data actions integration.