diff --git a/README.md b/README.md
index a87797bb..fda77e87 100644
--- a/README.md
+++ b/README.md
@@ -131,14 +131,38 @@ secretDescriptor:
 The following IAM policy allows a user to access parameters matching `prod-*`.
 ```json
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "ssm:GetParameter",
-            "Resource": "arn:aws:ssm:us-west-2:123456789012:parameter/prod-*"
-        }
-    ]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "ssm:GetParameter",
+      "Resource": "arn:aws:ssm:us-west-2:123456789012:parameter/prod-*"
+    }
+  ]
+}
+```
+
+The IAM policy for secrets Manager is similar ([see docs](https://docs.aws.amazon.com/mediaconnect/latest/ug/iam-policy-examples-asm-secrets.html)):
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetResourcePolicy",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:ListSecretVersionIds"
+      ],
+      "Resource": [
+        "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c",
+        "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes192-4D5e6F",
+        "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes256-7g8H9i"
+      ]
+    }
+  ]
 }
 ```