I completely disagree with #2. It's incredibly valuable and helpful to be able to use source control to track API key updates. Unlike environment variables, this forces accountability whenever a change to your configuration is made. If you're worried about security, you can always encrypt the individual keys.
Sure it's OK if you have a small team and you can trust everyone on that team. But if you are in a big company with thousands of employees, you don't want a 'rogue' employee (or contractor ...ala Snowden) to start accessing and messing with your services without company approval - The fewer employees know the company access keys and passwords, the better.
