I'm working on a clojure web application, using leiningen 2 for build and deployment. It's a very vanilla webapp, and I'm using compojure, ring, and lein-beanstalk. My app needs to use both database credentials and S3 credentials, and I'm not sure the best way to store and access them in my app.

What is the common way of handling sensitive things like database credentials, that need to be deployed with my app, using leiningen 2?

it's possible for me to set up environment variables on elastic beanstalk, but I'd like to avoid that route if possible.

Two ways to do it. One is to use environment variables, which is nice if all your config values are strings and you don't need arbitrary nesting. Your best bet here is Environ: https://github.com/weavejester/environ

The other nice option is to read Clojure data files off the classpath. You can check dev config settings into your project with the dev-resources dir and place production config on the classpath with your deployment tool. The advantage here is your config can be arbitrary Clojure values with nested maps, etc. The nicest thing for this is Carica: https://github.com/sonian/carica

I'm quite fond of using environment variables to track variable environments. ;-)

Others pass them using -Ddb=foo options and reading them with (System/getProperty "db")

Take a look at Confijulate - a library I created to implement this pattern:

https://github.com/bbbates/confijulate

You can store the passwords or keys in an external file and have it loaded in via a system property. In the function that connects to S3 or the dB, you can decrypt it using a a key loaded in via the same mechanism. Just make sure the file you read in is readable only by the web user (tomcat or jboss or whatever container you're using with beanstalk).