Inadvertently committing API keys is easy. That quick one-off script with embedded credentials because it was only supposed to take a couple of minutes to write and then be discarded, or later version that reads from config but the config lives in the same directory and got swept up in a git add. Or when your tried and trusted .gitignore got left behind.
Or you coded everything right but put a screenshot of the config file in the documentation to show others how to do it, because you're conscientious like that.
It's a problem because even the simplest credentials file rapidly becomes too complex to remember so a template needs to be stored somewhere.
AWS would push server roles, but that comes with a whole load more 'anyone who compromises one server compromises all the cloud stuff it has access to' issues.
As with all these things; there are those who've done it, those who will do it and Reg commentards who criticise from the sidelines.