Reading various forum posts has led me to this solution…
Change the serverless yml escape sequence:
variableSyntax: '\$<([ :a-zA-Z0-9._,\\-\\/\\(\\)]+?)>'
Change all of my serverless variable references to match the new syntax:
DYNAMODB_TABLE: $<self:service>-$<opt:stage, self:provider.stage>
Now I can use AWS variables in the yml file:
Condition:
ForAllValues:StringEquals:
dynamodb:LeadingKeys:
["${cognito-identity.amazonaws.com:sub}"]
Is there a better way to do this? I quickly stumbled into this conflict as a new user and got bogged down trying to find a work around.