Don't know about kube, but awscli and a few others decouple the idea of getting credentials and doing the actions. You can use the password directly through them every time, but a better way is to either use the preconfigured profile or some wrapper which does use the keychain. For example https://github.com/99designs/aws-vault/ supports one-off commands and shell sessions with pre-populated tokens. There's also similar cf-vault.
Terraform also can be configured to use environment variables (and I'm sure other utilities) which allows similar "use a separate tool for creds" approach.
(kube apparently has https://github.com/chrisns/kubectl-passman)
> For example https://github.com/99designs/aws-vault/ supports one-off commands and shell sessions with pre-populated tokens.
I came to recommend aws-vault, it is pretty handy to not store aws keys in plain text.