function New-ServerlessServiceAccountIamPolicy {
<#
.SYNOPSIS
    Creates and configures an AWS IAM inline policy for an IAM role
    that grants read access to the specified secrets.

.PARAMETER RoleArn
    [string] The pre-existing IAM role ARN.

.PARAMETER ProfileName
    [string] The AWS profile to use during policy creation.

.PARAMETER Region
    [string] The AWS region to use during policy creation.

.PARAMETER SecretArns
    [string[]] An array of AWS Secrets Manager secret ARNs to grant access to in the IAM policy.

.EXAMPLE
#>
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $RoleArn,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string] $ProfileName,

        [Parameter(Mandatory = $true)]
        [ValidateScript({$_ -in (Get-AWSRegion).region})]
        [string] $Region,

        [Parameter(Mandatory = $true)]
        [ValidateNotNullOrEmpty()]
        [string[]] $SecretArns
    )

    Import-AWSModule

    $inlinePolicy = Get-ServerlessServiceAccountIamPolicyString -SecretArns $SecretArns

    # AWS PowerShell expects the role name, not ARN.
    $roleName = $RoleArn.Split("/")[-1]

    Write-IAMRolePolicy -RoleName $roleName `
                        -PolicyName "account-secret-access-inline-policy" `
                        -PolicyDocument $inlinePolicy `
                        -ProfileName $ProfileName `
                        -Region $Region
}