How do I allow EC2 Agent to retrieve Secrets from Secret Manager when using CodeDeploy?

We have an EC2 instance that is running a CodeDeploy agent on Windows Server. I have a powershell script that runs as part of the CodeDeploy deployment in an "after-install" script. This script uses aws CLI to retrieve secrets and then updates a file in our app. When it tries to run during a deployment, it fails - the script execution times out. If I run the same script from a powershell window on the EC2 server, it works fine and only takes a few seconds. How to configure CodeDeploy agent on EC2 to have permissions to secret manager?