Load credentials in docker image using env vars

What is the best approach to load credentials file / values to an image during the deploy?
I was thinking in something like a credentials template file. Then I could add an echo “template content” > conf/prod/credentials.yml and replace the values from env variables.
How you guys are handling that?

Thinking better, store the file with credentials inside de image is very bad. Is there a way to use env vars in credentials files? What is not a good idea too because everything with credentials is ignored by .dockerignore.

For now I create a run_production.sh file with the content below:

if [ ! -f "conf/production/credentials.yml" ]
echo "aws:
  key: \"${AWS_KEY}\"
  secret: \"${AWS_SECRET}\"
  con: postgresql+psycopg2://${REDSHIFT_USER}:${REDSHIFT_PASS}@${REDSHIFT_HOST}:${REDSHIFT_PORT}/dwh" \
> conf/production/credentials.yml

kedro run --env production

Then I set sh run_production.sh in my start command in my service at rancher. That way I could use the env vars for credentials.
If anybody knows a better aproach I really really would like to learn.

Thank you!