If you're on AWS, a good solution is EC2 Parameter Store. Paired with KMS, you have encrypted secrets, locked down by IAM user if necessary. Paired with IAM Roles, you don't even have to have a key you manage for secrets access. You can cache a secrets file in S3, using the same encryption mechanism (useful if you want something like a .env.development to pull down). Most complicated part is bootstrapping your app to pull down the secrets, which is true of any secrets management solution you might use.
a tool which pairs well with parameter store is https://github.com/segmentio/chamber/ . it's a nice interface over the awscli commands that save you a lot of typing. definitely worth looking at as it also saves you the hassle of dealing with a secrets file stored in s3.