I like your idea about putting them into config file during deployment, thanks!
Regarding .env file -- I use Laravel and obviously use that .env file for vars & secrets, but I use aws-php-sdk, which uses getenv() function to get aws creds from env vars of the pod. I also cache configs, so .env file no more readable after caching, that's why I am so worried about the fact I cannot access system level env vars.
But the most weird point is that other Laravel & Symfony apps of the friend of mine with the same configs have access to system lvl env vars.
Appreciate your time and help!