To use KSOPS with a Key Management Service (KMS) such as AWS KMS, GCP KMS, or Azure Key Vault, you need to configure your .sops.yaml file to specify your KMS key(s) under the creation_rules section. For example:

creation_rules:
  - unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
    # For AWS KMS
    kms: arn:aws:kms:us-east-1:123456789012:key/abcd-efgh-ijkl
    # For GCP KMS
    # gcp_kms: projects/my-project/locations/global/keyRings/my-kr/cryptoKeys/my-key
    # For Azure Key Vault
    # azure_kv: https://my-key-vault.vault.azure.net/keys/my-key/

KSOPS uses SOPS for encryption and decryption, so you must ensure your cloud provider credentials (such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for AWS) are available as environment variables wherever you run KSOPS, including CI/CD or Argo CD deployments. Reference your encrypted files in your KSOPS generator config (e.g., secret-generator.yaml) and include that generator in your kustomization.yaml. For Argo CD, inject the necessary credentials into the deployment and enable kustomize plugins as described in the documentation. More details and examples are available in the KSOPS README.