What would be nice and idiomatic is to be able to something like:

environment {
    AWS_ACCESS_KEY_ID = credentials(id='amazonKeyId')
    AWS_ACESS_KEY_SECRET = credentials(id='passwordId')
}

(or something more configgy looking). This can be limited to the single secret case if needed (ie not username/password).

Using various incarnations of the wrapper:

withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: '', passwordVariable: 'AWS_SECRET', usernameVariable: 'AWS_ID']]) {
    // some block
}

You can, I think get credentials back out but it is seems less configgy for common scenarious.