Using environmental variables in Open Distro security plugin configuration

Initially I put something like that in my plugins/opendistro_security/securityconfig/config.yml:

ldap:
        http_enabled: true
        transport_enabled: true
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: false
            hosts:
              - ldap.domain.com:3268
            bind_dn: ${LDAP_BIND_DN}
            password: ${LDAP_BIND_PASSWORD}
            usersearch: '(sAMAccountName={0})'
            userbase: 'OU=Accounts and Groups,DC=domain,DC=com'
            username_attribute: 'sAMAccountName'

But even though I set those variables in ES environment, I got errors on LDAP connection with error 49, implying that credentials are not valid. When I replace the variables with actual values, it works. That’s not bad, but I want to commit this config to Git, and having secrets there is, of course, extremely undesirable. Is there any workaround?