Vault, by Hashicorp is a great solution nowadays. There's still a bit of a chicken/egg issue though. Eventually an application needs a way to store password it can use to authenticate, either with the individual services it connects to, or with a single service such as Vault which then provides credentials to use with the other individual services.
One fairly common practice is to have a non-committed config file that has to be manually installed on the box that runs your code. It's not committed to any repository. If someone pwns the box they'll get the password/token/etc. But you would have bigger problems by then anyway. The biggest problem with this practice is that someone always forgets and commits the special config file, and then everything in it needs to be rotated again.