I think duplicati should hide the secret part of the S3 credentials in the backend. I would like to use S3 accounts for multiple users and wouldn’t want to have a user read out the credentials to login with another client.
This will only work with force-encrypt exported configurations (as a user could read out the secret by exporting the config), so I am not sure how easy it would be to implement, but as far as I understand, the secret part shouldn’t be stored in clear text anyways…