A Little Backstory
This could have been avoided in several ways. First off, developers *should* know better than to put credentials in source code, but that is a culture and training issue which can’t always be solved immediately. The second barrier should have been a static analysis tool incorporated into the build that would detect suspicious hard coded strings.
If you only have a few credentials, a simple solution is to use environment variables on the server. This has the advantage of being configurable per-machine (ie. developer settings can be separate from server settings), and that exposing the values usually requires significant privilege escalation. The challenge is to ensure the scripts used for setting up the environment (often a dockerfile) also do not contain the keys.
A better solution is to use a password vault to load keys at run time, such as AWS Secrets Manager. Using the API call GetSecretValue it is possible to retrieve keys from the password manager at runtime. It is recommended to use an existing SDK to ensure that accessing the password vault is fully secure, as it is easy to miss important configuration that might cause the GetSecretValue request to leak sensitive information. This method comes with the additional benefit that it is easy to roll passwords without requiring any redeployment.