Secrets Manager
For truly sensitive values — API keys, database credentials, tokens — Gothic can pull them from AWS Secrets Manager at deploy time with the gothic.SecretsManager(...) builder. Like gothic.Env and gothic.SSMParam, it produces a source-aware EnvValue, so it drops straight into any stage's ENV map (or into a domain field).
Secrets Manager secrets are often JSON objects. Chain .Get("jsonKey") and Gothic decodes the secret and injects just that one field into your environment variable — never the whole blob:
Stages: map[string]gothic.Stage{
"dev": {
ENV: map[string]gothic.EnvValue{
// Whole secret as a plain string:
"API_KEY": gothic.SecretsManager("/myapp/dev/api-key"),
// Pull one field out of a JSON secret with .Get:
"DB_PASSWORD": gothic.SecretsManager("/myapp/dev/db").Get("password"),
},
},
},The same .Get("jsonKey") trick also works on gothic.SSMParam when a parameter stores JSON. Reach for Secrets Manager when you want rotation and fine-grained IAM on the secret itself; reach for Parameter Store for plain config.
Your config is fully wired. Want to run your own Go code around a deploy? Meet the lifecycle hooks!
