Ansible handles this issue very cleanly with a feature called "vault": http://docs.ansible.com/playbooks_vault.html

I think it probably works better integrated into the deployment system. The developer can still write {{ DBPASSWORD }} wherever they need and not have to worry that they don't know what the password on production or staging is.