Where should i store my api_key and other sensitive data in a serverless project

As the title says, where should i put the db passwords and apikeys to other resources that dont end up in the repo.

What are the best practices around this?

At the moment the best thing to do is using Environment variables through dotenv or similar and only adding those variables on deployment or in CI so they are not in the repo: https://serverless.com/framework/docs/guide/environment-variable-handling/

This is an important feature and we’re working with AWS to make this much easer and better in the future, but its not ready yet.

There are a variety of sls plugins that handle env vars in different ways. A while back I created one that does it a bit more intuitively in my opinion. You include a .env file in the root of your project and with the serverless-dotenv-plugin installed, when you run sls commands, any env vars found in the env file will be injected into the serverless framework like all other environment variables do already. You can then access them in your yaml the normal way ${env:SOME_VAR} with the added benefit that they will also be injected into your lambda functions.