API Gateway: AWS Service integration using IAM authorization

I'm using AWS Service integration to connect API Gateway to DynamoDB.

E.g. PUT orders/{id} -> AWS Service: DynamoDB, Action: UpdateItem (using a mapping template to transform the HTTP body to a UpdateItem request).

Works fine. Now I'd like to secure the table so that a user can only access their own records. I've created a Cognito Identity Pool to limit a user's access and I've configured the method to use AWS IAM for auth. But I don't see a way to tell the integration to use that as the Execution role. As far as I can see, you have to hard-code that.

Is there a way to use the IAM role as the execution role?

Workaround

I'm aware that I can put a Lambda in the middle, getting it to make the DynamoDB call using the user's IAM credentials, but that's an extra hop and more code to look after. If anybody know a way to go IAM -> Gateway -> Dynamo that would be much better.