Hey

I am trying to configure SOPS to encrypt secrets with kms keys that will come from different AWS accounts. Essentially if one has access to at least one of the keys he will be able to decrypt the file.
The way we configure our AWS in our workflow is through the usage of named aws profiles.

We'd like to automatically configure our sops secrets with several of those keys:

# any_secrets.yaml
foo: [<snip>]
sops:
    kms:
        - arn: <arn-of-account-1>
          aws_profile: "account-1"
        - arn: <arn-of-account-2>
          aws_profile: "account-2"
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []

I then tried to configure the .sops.yaml configuration file configuring the various keys and associated aws profile like so:

# .sops.yaml
creation_rules:
  - key_groups:
    - kms:
      - arn: '<arn-of-account-1>'
        aws_profile: 'account-1'
      - arn: '<arn-of-account-2>'
        aws_profile: 'account-2'

But when trying to encrypt anything with sops using this configuration file is trying to get the arn using the default aws profile. Basically the creation_rules[*].key_groups[*].kms[*].aws_profile are completely ignored.

How can I update my configuration to get sops working with several kms keys with different aws profiles?