security of CI information with Docker Secrets

In config/database.php my userid and password for mySQL is visable, unencryted.  I have some other things that I use in my app that are secrets such as my AWS userids. I need to secure these and since I am using Docker I am investigating using Docker Secrets. But how can I modify the $db array prior to bringing up my system with the userid and password kept in Docker Secrets. I am not sure yet but I presume that there is an api call I will make to get the secret. But where do I place that in the CI application?

proof that an old dog can learn new tricks