Error when Bedrock agent invoke lambda

Was able to solve my issue. You need to add a resource-based policy statement on the Lambda.

1. Go into Lambda function
2. Select Configuration tab
3. Select Permission menu item
4. Scroll down to Resource-based Policy Statements and click Add Permissions button
5. Click AWS Service radio button
6. Choose Other from the Service dropdown
7. Enter anything for Statement ID
8. Enter bedrock.amazonaws.com for the Principal
9. Enter your Bedrock Agent's ARN as the Source ARN
10. Select lambda:InvokeFunctionas the Action
11. Click Save

I'm having same error. I gave both Bedrock Agent IAM role and Lambda role AdministratorAccess policy and still getting the error. Executing the Lambda manually is fine but can't run test with Bedrock Agent.

The trace from the Bedrock Agent test shows that in pre-processing step, it correctly classified my input. The orchestration step shows that it understood the input correctly and was ready to call the right function with the right mapping of parameters. But that's all I see. There's only that single step and nothing else and there's nothing on the post-processing tab.

The error states Access denied while invoking Lambda function arn:aws:lambda:us-west-2:xxxxxxxxxxxx:function:yyyyyy Check the permissions on Lambda function and retry the request. I checked the CloudWatch logs for the Lambda and there's nothing which seems to confirm Bedrock is unable to even invoke the Lambda function.

To complete the answer here is the CDK way to add this Resource-based Policy Statement:

lambda_.CfnPermission(
      self,
      "BedrockInvocationPermission",
       action="lambda:InvokeFunction",
       function_name=action_group_function.function_name,
       principal="bedrock.amazonaws.com",
       source_arn=agent.agent_arn,
)