I’ve been kind of confused with how secrets are rotated by secrets manager. You’ve got an `NPM_TOKEN` in your example. Does your custom lambda talk to an npm API, get a new token through the API, and then set that token as the value for `NPM_TOKEN` in secrets manager?