I’m not sure why the article doesn’t mention the “best option”, which is to commit encrypted credentials using KMS. They aren’t going to visible in any console, and are only decrypted at runtime. Additionally you don’t need any magic other files or technology patterns to make this work since the code and credentials are all in the same place.