Credentials or other secrets aren't a good idea for the environment variables.
I know I'm not the only one who thinks so... Here's what the Docker security lead says about it: "When you store your secret keys in the environment, you are prone to accidentally expose them"
None of the above, really. It's cargo cultism. It's written by the people who implemented things that were architected by engineers, without understanding the engineering principles behind what they did. So they try to "recreate it" by building the equivalent of cardboard planes on the beach.
I know I'm not the only one who thinks so... Here's what the Docker security lead says about it: "When you store your secret keys in the environment, you are prone to accidentally expose them"
Details are here: https://github.com/docker/docker/pull/9176#issuecomment-9954...
In many cases the env vars are stored in files and those files have the same problem regular config files have when they are checked in to a repo :-)