what in the hell does LDAP, PAM or anything else you mentioned have to do with separating credentials from code? Those all still require credentials, they are not credential token stores.

Something like https://devcenter.heroku.com/articles/config-vars or https://kubernetes.io/docs/concepts/configuration/secret/ or https://www.vaultproject.io/ or a secure s3 bucket would all have been great answers. Hell, we used to use a mysql db with encrypted credentials over a REST interface as a token store.