Gothic Framework G symbol

Secrets Manager

For truly sensitive values — API keys, database credentials, tokens — Gothic can pull them from AWS Secrets Manager at deploy time with the gothic.SecretsManager(...) builder. Like gothic.Env and gothic.SSMParam, it produces a source-aware EnvValue, so it drops straight into any stage's ENV map (or into a domain field).

Secrets Manager secrets are often JSON objects. Chain .Get("jsonKey") and Gothic decodes the secret and injects just that one field into your environment variable — never the whole blob:

Stages: map[string]gothic.Stage{
	"dev": {
		ENV: map[string]gothic.EnvValue{
			// Whole secret as a plain string:
			"API_KEY": gothic.SecretsManager("/myapp/dev/api-key"),
			// Pull one field out of a JSON secret with .Get:
			"DB_PASSWORD": gothic.SecretsManager("/myapp/dev/db").Get("password"),
		},
	},
},

The same .Get("jsonKey") trick also works on gothic.SSMParam when a parameter stores JSON. Reach for Secrets Manager when you want rotation and fine-grained IAM on the secret itself; reach for Parameter Store for plain config.

Your config is fully wired. Want to run your own Go code around a deploy? Meet the lifecycle hooks!