Instead of setting secrets (encryption key, db username/password) through environment variables in GCP. Figure out how to integrate with GCP's Secrets Manager and Cloud Run. I believe it's pretty straightforward, actually, and should get to this soon as it's important.

Its super simple, just ensure that the default service account has secret accessor privs --role="roles/secretmanager.secretAccessor"

If cloudrun is like app engine then the SA is injected at runtime and always available, you can detect if its in a GCP env by looking for process.env.GCLOUD_PROJECT.

using gcloud and you can specify a different service acc if you need to like the below:

gcloud secrets versions access latest --secret="my-secret" \ --impersonate-service-account="PROJECTID@XXXXXX.iam.gserviceaccount.com" \ --project="xxxxxx" > ./secret.key

My Go is a bit rusty, looking for something like this to kick start me in the right direction, but i gotta make use of a Mongo instance, is it much work to migrate from postgres to mongodb ?

Thanks! Unfortunately I've never used Mongo, so so can't really comment...