diff --git a/profiles/aws/env/secrets.settings.yaml b/profiles/aws/env/secrets.settings.yaml
index 4b11754650..8b05702ed3 100644
--- a/profiles/aws/env/secrets.settings.yaml
+++ b/profiles/aws/env/secrets.settings.yaml
@@ -12,7 +12,7 @@ home:
 kms:
     sops:
         aws:
-            clientKey: somesecretvalue
+            accessKey: somesecretvalue
             secretKey: somesecretvalue
             region: somesecretvalue
 oidc:
diff --git a/values-schema.yaml b/values-schema.yaml
index 1365db7312..43237a389b 100644
--- a/values-schema.yaml
+++ b/values-schema.yaml
@@ -66,30 +66,38 @@ definitions:
     description: A set of annotations.
   awsCreds:
     properties:
-      accessKey:
-        type: string
-      secretKey:
-        type: string
-      region:
-        type: string
+      aws:
+        properties:
+          accessKey:
+            type: string
+          secretKey:
+            type: string
+          region:
+            type: string
+        required:
+          - accessKey
+          - secretKey
+          - region
     required:
-      - accessKey
-      - secretKey
-      - region
+      - aws
   azureCreds:
     properties:
-      clientId:
-        type: string
-      clientSecret:
-        type: string
-      environment:
-        type: string
-      tenantId:
-        type: string
+      azure:
+        properties:
+          clientId:
+            type: string
+          clientSecret:
+            type: string
+          environment:
+            type: string
+          tenantId:
+            type: string
+        required:
+          - clientId
+          - clientSecret
+          - tenantId
     required:
-      - clientId
-      - clientSecret
-      - tenantId
+      - azure
   azureMonitor:
     properties:
       appInsightsApiKey:
@@ -178,10 +186,14 @@ definitions:
     title: Environment variables
   googleCreds:
     properties:
-      accountJson:
-        type: string
-      project:
-        type: string
+      google:
+        properties:
+          accountJson:
+            type: string
+          project:
+            type: string
+    required:
+      - google
   hostPort:
     pattern: '^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]):()([1-9]|[1-5]?[0-9]{2,4}|6[1-4][0-9]{3}|65[1-4][0-9]{2}|655[1-2][0-9]|6553[1-5])$'
     type: string
@@ -663,10 +675,14 @@ definitions:
     type: array
   vaultCreds:
     properties:
-      token:
-        type: string
+      vault:
+        properties:
+          token:
+            type: string
+        required:
+          - token
     required:
-      - token
+      - vault
 properties:
   alerts:
     $ref: '#/definitions/alerts'
@@ -1610,23 +1626,10 @@ properties:
     properties:
       sops:
         oneOf:
-          - aws:
-              $ref: '#/definitions/awsCreds'
-            required:
-              - aws
-          - azure:
-              $ref: '#/definitions/azureCreds'
-            required:
-              - azure
-          - google:
-              $ref: '#/definitions/googleCreds'
-            required:
-              - google
-          - vault:
-              $ref: '#/definitions/vaultCreds'
-            required:
-              - vault
-        type: object
+          - $ref: '#/definitions/awsCreds'
+          - $ref: '#/definitions/azureCreds'
+          - $ref: '#/definitions/googleCreds'
+          - $ref: '#/definitions/vaultCreds'
   oidc:
     additionalProperties: false
     description: 'Holds many parts used in different locations. Please see keycloak, istio and oauth-proxy all consuming parts.'