diff --git a/.github/workflows/opentofu.yml b/.github/workflows/opentofu.yml
index f338fe7..f268604 100644
--- a/.github/workflows/opentofu.yml
+++ b/.github/workflows/opentofu.yml
@@ -10,6 +10,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
   pull-requests: write
 
 jobs:
diff --git a/.sops.yaml b/.sops.yaml
index 8967c45..99901db 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,3 +1,3 @@
 ---
 creation_rules:
-  - age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
+  - kms: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 032c68f..293dc28 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -13,16 +13,11 @@ sops_age_key: ENC[AES256_GCM,data:xwyvLD5uu4Umd1rF8dEoBi1DPZ5ts2xROd4MYVxiGbHxPs
 ops_ssh_privkey: ENC[AES256_GCM,data:2Ig2T4oNJoqHfRjoFGDiTWWz6hiU4ZAuK71SGO5yz9BZwZ5XODiH0GRm2gRzasUc0IB9UtnEv1keG27dKKx8J0XPF3jCI9HxMaW91C04IQ0VZcgnyLJiixx9kyx4DWz3lI63fTQMrz9SnTGNQnYXWb75MRw3lFW33nlFb2xa1h0+8lrOFPduFS1+iodSrhETL0L4uA8SgkB3xz/Of85rXG8ZRnBzrscMKQz56MNqVEXJ1kVEZBgu7TlWovFCEWxrGEkIC5KSGIs57ZhGLzGYn4nopVzuNmaywgbKpWCPjQULBgQvuU6zUG3Ul9/p9nc5V7xCMUFeC0/TeeiYPVv2OfYSSLUNtz24J5u4oQ/D47AKWfRxN42eUA8zbMgJIYFY3czZ+PUseDXsBbF0r2J8C9AIrg8aV3uxLRZoCfPiFqKvZDJMDJaDx5t2cJtMdvtBSX9Vd9zObzR5P5kcb1cEhQfXWTgNsPuzhbRyLNCLdf59sp0C/pUiLdFpQDm72sLwgunNzlvi1yoidbIvX9QCdCqGQp8KOmxT1/djlpR17nX0DGEf4a6NAy+CMlcG8p9U,iv:fDQ8XQRUJDvoHvJzs+wZwMH6ePGx2Q1Wh6qmqgTTC80=,tag:9F2eO49JX0hgRnGxVNo7jg==,type:str]
 hero_known_hosts: ENC[AES256_GCM,data:7/TRHASfMqpQ7JvigV42DFjBz+XJpyKlhyi8T9Ex3+G5uYL0DkWSPwbkhoHRZPKxugHbtG6jGd3PF86lfsXV0AdKCj3W4xXsUYaP3l9SluuMCIIPAlNbvrsB6u/4v38yqWnILxSS5Hj87Ju8PnENje5ArDmP8oXKZqosVdAuFCDFycmjwqjIgzq9yLQGP9koGmlWorAZ94/PBN8Y5oF9eBc8g1kij+aFN38kLFB6vpN858xzzbUG0N7iheCLyOwyXYauegqmPHu6uaEEDLJ0B15CyF7RcKqZUiIXZWKMYAJabHBNGPL6pyH4ybB8kdXIG9xN48MNe+E2lWJKYu6t3x7TTpnaZ1ulA5jYgWyYplUmSoOs9YOZoOJ9/Xgq91wAFrgywKmog8ph1Sjg5hZaovQsl4difKElFPHnkVC+LWK1nX0CwHfpo1FIzxJeiTcm1VQ9r9jet2jnMoQep0yqaCKxZYo5sXW2m+jG7ppXW/qxyaeWclPnOho18QKkJSpU3ffAH6mEHgGYFVjdrRV5/24TY+yU0s4JfHhJ2hdY95ZH+xbzUaiE8RF/GaS8VtrEgZZrIlQJoMZk+fGv2Y7k0em9OZX8k9jjmEqVpjwlH0WMjectLcvYGeZosuv1VXk+wEv2/Q4YYmt/ylxjO8xsDSTV4B/SsP2guzUcCbXV1TnEbumvqxOLJ2yOXgwvH574zC3Qh0ztiELj/7yEp18u8jJFqXt9BSVkgv3CRwlZkXD9Gyzz+dhegrSm/dVGNXm0rKBiqzjvtcvjafqJcl7NOa2t3AwfTEIubtb21Rb29MZW48zmRf5RRtmapEFcf3xM1pCYG2NpJquCLe3iidCZ6mVFcOSV2gc1olMiuu1j7Z2zp92A0pxHvFuiftlugXQEmwLksdWHIBnrFVZId4Jaw0XlMTutWwU98YDmEw4ynyR4aocYgFRP8auu3u29fnVb0XgsRVwGuTeOpwcLPXZH2tczfZhxFyyiWuqE6IbpCLymHc5yiiw8REJOK2WQDg7r/fkrVMnQEhbyUsL9Ne9/uayjrdiI7iPOHRh+WIDqAP3X+1Dj7k7qffdPl2ADJmv1qBLLi++AefUkGi6BnLEWFWrYJSdekBTRct6eZuDMlpUZMnG58pxUcr0V+Ihg9LNpl00ZZbU7RdOK1UkjOhCj8xWKje7Rrm9RKcBKr7iEktfIU7V/d22TR5Lk+DiloKHxQMTrfnkM88CuiaJfl1ZOLF4oofeNDxw/auHgrf6acC1qmJUG8B/4ix5xYn0P5UxyPJTmdm4PDJ/3vFPlE66Bj7w2Oi4RIM8QTjllk9dy2RAR7ZNXVW4m8Kg5,iv:Ukxelc0oU9HY73FMP4twk9ZH8eVjaYybB7fMt6hOcC8=,tag:dfH5LhKoGcZ88n3A3nnJDw==,type:str]
 sops:
-    age:
-        - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ek45TWc4UktDM2ZEcnBo
-            RXI0cjRVeEcwODkxUEJiemEybElwUjVIYVdzCm9QeEl0QzVuSU5nWldmOStiVTlV
-            UFd3Vk9zRElOQlViTG1iZ0VMMjNpTmcKLS0tICtFUFUxcjRNeDBQMThrRUl3RmVV
-            R05MZlJDY1JnVjBlb01Hdm10d3k3VXMKpYhy+H82z9yBAREn2O0cUQp+m9laXyAx
-            5Hn86bDGLP4LxsVKbQS/77Weg0HI26WsKkTwOR8DB72TFia1SzQNqQ==
-            -----END AGE ENCRYPTED FILE-----
+    kms:
+        - arn: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91
+          created_at: "2026-06-19T04:16:52Z"
+          enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AHuCPDF9cTWw01EAFzQPbMSAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMpfP6oxunT8dbD4PXAgEQgDvVvVjfsN8aZbEcGS6saMUCX6R7pXnpiqadOQwL6CRbpmzsjMenjTyoef62vrdIPJbQWApOHt4mLq95yw==
+          aws_profile: ""
     lastmodified: "2026-04-29T22:35:54Z"
     mac: ENC[AES256_GCM,data:/psr3jetNh7hC0qcXJB+PMlUEHgpLBHa8rmYlzV2NBB5IsbeiWYNWCYp62oownV8QBfRMl72Pp1HdF/4eo9Kjhy2CQ2HsMREpx9OVjlfk/oreFqquqBQLC+5lQV30QIKjc9uwMZAukZdNzOLRsuIQjHyDQHLTaT4Nkx5wpIo4Cc=,iv:A+vVP8eyj/sKb+AZvAfYguLe6QMidOLYRZd9D0Sw1Ew=,tag:piKeKZW9D/h4leszVkupkA==,type:str]
     unencrypted_suffix: _unencrypted