at least in our simple use case we just ended up creating a map with the secrets-key and values + expiration timestamp. at every lambda invocation within the same container we check if current time is past the expiration date and if so, we reload the key from ssm otherwise we use the cached one.
Of course you might want to implement something fancier like different caching periods for different keys or retry options if cache is outdated — but it should not be something too complicated. but so far we did not need such things :-)