.sops.yaml creation rules
Automate which key encrypts what.
Running sops -e with the right recipients by hand for every file is error-prone, so SOPS reads a .sops.yaml config from the repo that declares creation rules: which key(s) to encrypt with, and which encrypted-regex to apply, based on the file path or a regex. With it in place, a contributor just runs sops <file> and the correct keys and settings are applied automatically — no one has to remember the right --age or --kms flag.
creation_rules:# prod files -> the prod KMS key- path_regex: secrets/prod/.*\.yaml$kms: arn:aws:kms:us-east-1:...:key/prod-key# everything else -> the team age key- path_regex: .*\.yaml$age: age1team...,age1backup...encrypted_regex: '^(password|token|.*_key)$'
Consistency and correctness
The .sops.yaml is where you enforce your scheme: prod secrets always go to the prod key, dev to the dev key, the right fields always get encrypted. It removes the human step where mistakes happen (wrong key, missed field). Commit it to the repo so the rules travel with the code and every contributor — and every automated re-encrypt — uses the same recipients. It is the equivalent of a policy for how secrets in this repo are encrypted.