I like the idea that you can use Cloud Secret Manager to store and encrypt the secrets within the app.

Coming from using .env files in Next.js and Vercel hosting could this process be made simpler e.g. reading the .env file from your app directly and intelligently placing the key/value pairs in the apphosting.yaml file or the rollout during creation.

This would be good to keep things simple and straight forward.