I am not very familiar with the java bindings; but if you are creating the IAM user, then you are very likely creating the "auth tokens" resource as well, which should include those secrets as outputs. From there, you can do whatever you want with them, including shipping to Vault or ESC as desired. Long story short, the programmatic access is a resource that you create