Currently I think the easiest way is using environment variables - it means you can set different values depending on environment/stage, and you can see where they're coming from relatively clearly in your
Via Serverless Variables you can even store your secrets in environment variables on your deployment machine and have them loaded at deploy time. This means you don't even need to write them to your
There is an open feature request to allow you to select a KMS key, so that the environment variables are encrypted at deployment (i.e. you can't see them via the console).