iamRoleStatements for multiple DynamoDB tables

Hi,

I’m trying to define iamRoleStatements section for two DynamoDB tables. I’ve found different YAML-styles of defining this on different websites, but neither of them worked. Here’s what I tried.

Version 1:

  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:DescribeTable
        - dynamodb:Query
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
      Resource:
        - Fn::GetAtt:
            - EntitiesTable
            - Arn
        - Fn::GetAtt:
            - UsersTable
            - Arn

Version 2:

  iamRoleStatements:
      ...
      Resource:
        - { "Fn::GetAtt": ["EntitiesTable", "Arn"] }
        - { "Fn::GetAtt": ["UsersTable", "Arn"] }

Version 3:

  iamRoleStatements:
      ...
      Resource:
        "Fn::GetAtt":
          - [ EntitiesTable, Arn ]
          - [ UsersTable, Arn ]

As I mentioned, none of the above works: I’m always getting either

An error occurred: UsersTable - User: arn:aws:iam::***:user/spatial-stream is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:eu-north-1:***:table/dev-users (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException;

or

An error occurred: EntitiesTable - User: arn:aws:iam::***:user/spatial-stream is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:eu-north-1:***:table/dev-entities (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException;

So only the problematic table changes, but not the error itself.

Is it that all of these approaches are wrong and I need some other syntax, or I’m facing some kind of a bug?