No, there aren't any credentials in the DDB key. The IAM policy that the Lambda uses to get read access to DDB includes a constraint that restricts what it can see. In the example above you can see the PK is just simply Tenant#1. The JWT includes the tenant number so the condition in the policy:
'dynamodb:LeadingKeys': [`Tenant#${who}`],
means that when the lambda is invoked where "who" is 1... they'd only see the Tenant#1 records.