I keep my dot files public, I of course don't want to have my credentials stored in those dotfiles.
To call applications which require credentials to be set as env vars I have the following setup.
Create a file called ~/.run_with_creds with all the secret credentials after an env statement which then calls the input parameters:
env TRELLO_DEVELOPER_PUBLIC_KEY=xxx \
TRELLO_MEMBER_TOKEN=yyy \
AWS_ACCESS_KEY_ID=987 \
AWS_SECRET_ACCESS_KEY=123 \
$@
For commands that require those credentials, I alias the command to first source that file before running the command.
alias trello=‘. ~/.run_with_creds trello’
.run_with_creds will then execute the command with the credentials set and pass any additional arguments.