How do I troubleshoot Lambda function failures in an Amazon Connect contact flow?

3 minute read

I want to know why my AWS Lambda function fails to invoke when my contact flow tries to invoke the function in Amazon Connect.


Verify that your Lambda function's resource-based policy grants Amazon Connect permission to invoke the function

1.    If you haven't done so already, turn on contact flow logging for your Amazon Connect instance.

2.    Search your contact flow logs for any AccessDeniedException error messages. You see this error when your function's AWS Identity and Access Management (IAM) resource-based policy doesn't grant Amazon Connect permission to invoke the function.

Note: You can also review your function's resource-based policy manually to see if it includes the required permissions. For more information, see Using resource-based policies for AWS Lambda.

To add the required permissions

Run the add-permission AWS CLI command. Include the principal and the Amazon Resource Name (ARN) of your Amazon Connect instance.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

For more information, see Create a Lambda function in the Amazon Connect Administrator Guide. Also, Granting function access to AWS services in the Lambda Developer Guide.

Example resource-based policy for a Lambda function that grants Amazon Connect permission to invoke the function

Important: Replace with your function's ARN. Replace with your Amazon Connect instance's ARN.

  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
      "Sid": "100",
      "Effect": "Allow",
      "Principal": {
        "Service": ""
      "Action": "lambda:InvokeFunction",
      "Resource": "<Qualified AWS Lambda ARN>",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "<Amazon Connect ARN>"

Verify your Lambda function's response

Follow the instructions in Verify the function response in the Amazon Connect Administrator Guide. When you test the output returned from your Lambda function, verify the following:

  • The output is a flat object of key-value pairs.
  • The key-value pairs include only alphanumeric, dash, and underscore characters.
  • The object isn't nested or complex.
  • The size of the returned data is less than 32 KB of UTF-8 data.

Verify that the Timeout setting for your Lambda function is set high enough to allow your function to invoke

If your function doesn't invoke within the configured Timeout setting, then the contact routes down the Error branch of the Invoke AWS Lambda function. The default Timeout setting is three seconds. The maximum Timeout setting is eight seconds.

To see how long it takes your function to invoke, review your function's Duration metrics in Amazon CloudWatch.

To review and edit the Timeout setting on your Lambda function, see Contact block: Invoke AWS Lambda function.

Note: To include Lambda functions in your contact flow that take longer than eight seconds to invoke, use asynchronous Lambda functions with Amazon Connect.

If you're invoking multiple Lambda functions, then make sure the duration of the sequence of functions is less than 20 seconds

Amazon Connect limits the duration of a sequence of Lambda functions to 20 seconds.

For more information, see the Lambda section of Best practices for Amazon Connect in the Amazon Connect Administrator Guide.

Identify and resolve any other errors that are causing your function to fail

Follow the instructions in How do I troubleshoot Lambda function failures?

Related information

Invoke an AWS Lambda function alias from Amazon Connect

AWS OFFICIALUpdated a year ago