Configuration
Config layers the standard ASP.NET Core way — appsettings.json for defaults and structure, appsettings.<Env>.json for per-environment overrides — plus one layer on top: the stage environment declared in your manifest. What differs from a hand-rolled AWS setup is when the Parameter Store and Secrets Manager values resolve.
// appsettings.json — defaults and structure, committed to git{ "AppSettings": { "DatabaseNamespace": "prod", "AwsRegion": "eu-west-1", "EnableHighAvailabilityCache": true }, "CognitoIdentityProviderSettings": { "Region": "eu-west-1", "ApplicationIdentitySchema": "AppIdentity", "UserPartitionKey": "user#" }} Secrets resolve at deploy, not at cold-start
A stage env value is a plain string, a param: Parameter Store reference, or a secret: Secrets Manager reference. Kanject resolves every reference once, at deploy, and writes the result into the function's environment variables. Your service reads them through the ordinary environment-variable configuration provider — ASP.NET Core's Section__Key convention maps a flat env var onto a nested config key — so it never calls Parameter Store or Secrets Manager itself, and cold-starts stay fast.
// stages/prod.json — environment values, resolved at deploy{ "env": { "ASPNETCORE_ENVIRONMENT": "Production", "CognitoIdentityProviderSettings__UserPoolId": "param:COGNITO_USER_POOL_ID", "CognitoIdentityProviderSettings__ClientId": "secret:app/prod/cognito#clientId" }} Only the param: / secret: reference lives in the committed stage file — never the value. See Core Concepts for the three env forms and where each resolves, and the Manifest Reference for the stage-file schema.