It is currently very hard to create a resource policy for the master database user secret in a multi user secret rotation template. The name of the IAM role doesn’t contain the name of the Lambda function or the name of the secret that is rotated. The most least-privileged permission that is currently possible without writing a custom resource to get the name of the role is therefore:

AllowUseOfDatabaseMainAdminSecretAtRotationOfWebsiteUserSecret:
Type: AWS::SecretsManager::ResourcePolicy
Properties:
BlockPublicPolicy: False
SecretId: !Ref DatabaseMainAdminSecret
ResourcePolicy:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "secretsmanager:GetSecretValue"
Resource: ""
Principal: ""
Condition:
"ArnLike":
"aws:PrincipalArn": !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${AWS::StackName}SecretsManager"

It would be nicer to get the name of the IAM role back from AWS::SecretsManager::RotationSchedule, f.e. via GetAtt:
[...]
Condition:
"ArnLike":
"aws:PrincipalArn":
- !GetAtt WebsiteUserSecretRotationSchedule.LambdaIAMRole
- !GetAtt DatabaseMainAdminUserSecretRotationSchedule.LambdaIAMRole

You can use my CloudFormation template Database-MySQLMultiUser.yml in the repository https://github.com/FrederiqueRetsema/Blogs-2023 .

Thank you for the request, Frederique. We've noted this as an enhancement request.