How to use nomad to deliver Vault AppRole SecretID?


I’ve been looking through the docs for Vault AppRole and noticed in the tutorial page (AppRole Pull Authentication | Vault - HashiCorp Learn) for steps 6,7, and 8 it mentions using Nomad as a trusted entity to obtain and deliver the wrapped SecretID. However I am having trouble finding any documentation detailing how it could potentially be done…

How would one reasonably obtain the wrapped SecretID to be delivered into the workload itself using Nomad here? I am assuming it would be through some usage of the consul templates in the template stanza for that job definition? or would it be some out-of-band process?