We manage them with env vars now. But we use salt (encrypted) to deploy a secrets file onto the server which is sourced before the app is started. With something like ECS I didn’t know if you could feed it an env file, and if you could, how you could make it available.