How do I troubleshoot Lambda function failures in an Amazon Connect contact flow?

Last updated: 2021-08-24

The AWS Lambda function that I added to my Amazon Connect instance fails to invoke when my contact flow tries to invoke the function. How do I troubleshoot the issue?

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Verify that your Lambda function's resource-based policy grants Amazon Connect permission to invoke the function

1.    If you haven't done so already, turn on contact flow logging for your Amazon Connect instance.

2.    Search your contact flow logs for any AccessDeniedException error messages. You see this error when your function's AWS Identity and Access Management (IAM) resource-based policy doesn't grant Amazon Connect permission to invoke the function.

Note: You can also review your function's resource-based policy manually to see if it includes the required permissions. For more information, see Using resource-based polices for AWS Lambda.

To add the required permissions

Run the add-permission AWS CLI command. Include the principal connect.amazonaws.com and the Amazon Resource Name (ARN) of your Amazon Connect instance.

For more information, see Create a Lambda function in the Amazon Connect administrator guide. Also, Granting function access to AWS services in the Lambda developer guide.

Example resource-based policy for a Lambda function that grants Amazon Connect permission to invoke the function

Important: Replace <Qualified AWS Lambda ARN> with your function's ARN. Replace <Amazon Connect ARN> with your Amazon Connect instance's ARN.

{
    "Version": "2012-10-17",
    "Id": "default",
    "Statement": [
        {
            "Sid": "100",
            "Effect": "Allow",
            "Principal": {
              "Service": "connect.amazonaws.com"
            },
            "Action": "lambda:InvokeFunction",
            "Resource":  "<Qualified AWS Lambda ARN>",
            "Condition": {
              "ArnLike": {
                "AWS:SourceArn": "<Amazon Connect ARN>"
              }
            }
        }
     ]
}

Verify your Lambda function's response

Follow the instructions in Verify the function response in the Amazon Connect administrator guide. When you test the output returned from your Lambda function, verify the following:

  • The output is a flat object of key-value pairs.
  • The key-value pairs include only alphanumeric, dash, and underscore characters.
  • The object isn't nested or complex.
  • The size of the returned data is less than 32 KB of UTF-8 data.

Verify that the "Timeout" setting for your Lambda function is set high enough to allow your function to invoke

If your function doesn't invoke within the configured Timeout setting, then the contact routes down the Error branch of the Invoke AWS Lambda function contact block. The default Timeout setting is three seconds. The maximum Timeout setting is eight seconds.

To see how long it takes your function to invoke, review your function's Duration metrics in Amazon CloudWatch.

To review and edit the Timeout setting on your Lambda function, see Contact block: Invoke AWS Lambda function.

Note: To include Lambda functions in your contact flow that take longer than eight seconds to invoke, use asynchronous Lambda functions with Amazon Connect.

(If you're invoking multiple Lambda functions) Make sure the duration of the sequence of functions is less than 20 seconds

Amazon Connect limits the duration of a sequence of Lambda functions to 20 seconds. To invoke multiple functions that last longer than 20 seconds, you can add a Play prompt contact block between each of the functions.

For more information, see the Lambda section of Best practices for Amazon Connect in the Amazon Connect administrator guide.

Identify and resolve any other errors that are causing your function to fail


Did this article help?


Do you need billing or technical support?