Store secrets in encrypted files, which are typically checked into version control.
To encrypt the files, you need an encryption key. That is itself a secret.
To solve this conundrum you can
- Use key management service provided by your cloud provider, e.g. AWS KMS
- Use PGP keys: a pair of public and private keys.