How do I troubleshoot Lambda function failures in an Amazon Connect contact flow?

Resolution

Verify the error message in the contact flow log

Complete the following tasks:

• If you haven't configured the contact flow log, then turn on contact flow logging for your Amazon Connect instance.
• Search your contact flow logs for any error messages. For example, to search for an error message in a specific time frame, run a query similar to the following:

  fields @timestamp, @message
  | filter @message like 'Results'
  | parse @message '"Results":"*","ContactId":"*","ContactFlowId":"*","ContactFlowName":"*","ContactFlowModuleType":"*"' as Results, ContactId, ContactFlowId, ContactFlowName, BlockType
  | filter Results like 'rror' or Results like 'ailed' or Results like 'imeout' or Results like 'xception' or Results like 'No prompt provided' or Results like 'Instance has reached concurrent Lambda thread access limit' or Results like 'nsupported' or Results like 'nvalid' or Results like 'not found' or Results like 'execution limit reached'
  | filter BlockType = 'InvokeExternalResource'
  | sort @timestamp asc
  | display Timestamp, Results, ContactId, ContactFlowId, ContactFlowName, BlockType

Based on the error message, complete the following tasks.

Status Code: 403; Error Code: AccessDeniedException; RequestId: XXXXXXXX

If your function's resource-based policy doesn't grant Amazon Connect permission to invoke the function, then you might get the preceding error. You can review your function's resource-based policy to see if the policy includes the required permissions.

To add the required permissions to the policy, use one the of the following methods:

• Use the Amazon Connect console to Add a Lambda function to your instance. The function automatically gets resource permissions when added to the instance.

• Run the add-permission AWS Command Line Interface (AWS CLI) command. Include the principal connect.amazonaws.com and the Amazon Resource Name (ARN) of your Amazon Connect instance.
  Example:

  aws lambda add-permission --function-name function-name --action lambda:InvokeFunction --statement-id connect-to-lambda --principal connect.amazonaws.com --source-arn connect-instance-arn

• Use the Lambda console to create a resource based policy. For more information, see Managing permissions in Lambda.
  Example resource based policy:

  {
    "Version": "2012-10-17",
    "Id": "default",
    "Statement": [
      {
        "Sid": "100",
        "Effect": "Allow",
        "Principal": {
          "Service": "connect.amazonaws.com"
        },
        "Action": "lambda:InvokeFunction",
        "Resource": "<Qualified AWS Lambda ARN>",
        "Condition": {
          "ArnLike": {
            "AWS:SourceArn": "<Amazon Connect ARN>"
          }
        }
      }
    ]
  }

"The Lambda Function Returned An Error"

To find out what might have caused the preceding error, check the Amazon CloudWatch metrics for Lambda. Review the metrics for data at the related timestamp.

If the error metrics don't contain data at the related timestamp, then verify your function's response.

Note: It's a best practice to test the output returned from your Lambda function. Confirm that the Lambda function returns the output in a format that's compatible with Amazon Connect.

For the output, review the following configurations:

• The Lambda payload must be a value other than NULL.
• If the Response Validation type is a STRING_MAP, then the output must be a flat object of key value pairs, and it can't be nested. If the type is JSON, then the object must be a valid JSON value and it can include a nested JSON.
• The key-value pairs can include only alphanumeric characters, the dash character, or the underscore character.
• The size of the returned data must be less than 32 KB of UTF-8 data.
• Verify that the Timeout setting for your Lambda function is set to a high enough value. The value must be high enough to allow your function to invoke, process data, and then return a response.

When you use the invoke Lambda function in the contact flow, the limit is smaller than what is configured at the Lambda maximum Timeout limit. The Timeout setting has a default value of 3 seconds and a maximum value of 8 seconds.

For example, suppose that your Lambda function is configured with a timeout value of 15 seconds, and your Lambda runs for 10 seconds. Though you don't get a timeout error, the contact flow routes the execution to the error branch because the maximum allowable Timeout value is 8 seconds.

To find how long it takes your function to invoke, review the Duration metrics for the function in Amazon CloudWatch. Then, update the timeout value of the invoke Lambda function and the Lambda functions, as needed.

Note: To include Lambda functions in your contact flow that take longer than eight seconds to invoke, use asynchronous Lambda functions with Amazon Connect. If you invoke multiple Lambda functions, then the duration of the function sequence must be 20 seconds or less.

If the Lambda Error metrics contains data at the related timestamp, then complete the steps in How do I troubleshoot Lambda function failures?

Related information

Invoke an AWS Lambda function alias from Amazon Connect