env variables were very easy (just name/value pairs in the container definition), but to get secrets I had to:
* create the secret
* give it a value (via secretVersion)
* add access to the secret to the fargate services' execution role
then the service could actually access and use the secret