We don't use this feature ourselves (yet) but it was in the AWS documentation, and might be relevant to some plugin users, so I thought I'd better mention it in the README.
It's quite possible that the ARN filter is not in the right format. Would you be able to toy with it in the AWS CLI and find a filter pattern that does work? Then we could fix the example.
Have a look at the AWS docs for inspiration: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_identity-based-policies.html