The flip side to the secret reader role is the secret writer.
Add this snippet to the relevant IAM policy section of a role to give it the ability to set secret values, but not retrieve them:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:us-east-1:<your-account-id>: key/<your-key-id>" }, { "Action": [ "dynamodb:PutItem" ], "Effect": "Allow", "Resource": "arn:aws:dynamodb:us-east-1:<your-account-id>: table/credential-store" } ] }