[CGamesPlay]

Have you looked into levant? Seems like it would allow you to do this. Now, with levant the developer machine would be the thing retrieving the vault secrets, but it may be a useful stopgap.

https://github.com/hashicorp/levant

[humblepie]

Hmm, would the stored job data still include the AWS credentials? That is, if I change the artifact S3 credentials and I run "nomad job plan" it will show the diff of the AWS keys. That means somewhere in the nomad raft logs the keys are exposed.

[CGamesPlay]

Yes, exactly. Definitely not ideal, but potentially a workaround depending on the security requirements.