Secrets should never be stored anywhere except a dedicated, encrypted keystore.
Never store your secrets in a repo, environment file, on disk, and especially never on developer machines.
Secrets can be API keys, database connection strings, encryption keys, whatever.
Amazon KMS works really well with other AWS services to allow certain boxes to fetch and decrypt certain secrets without any credentials on the box, enforced by IAM policies. However, if you’re not careful you’ll end up storing those credentials in your generated Docker containers, your development/ops workstations, and everywhere else.
So how do you run your app in an environment without storing the secrets somewhere? Simple, fetch them in a wrapper script which injects them into the environment and hands off the process to your server.