Deprecate some KMS client registration functions.

PiperOrigin-RevId: 560729256 Change-Id: I8f5bb983fafb46ec239a0dbab927cc4a801f3578
tink-crypto · Aug 28, 2023 · bcb6196 · bcb6196
1 parent 6081eba
commit bcb6196
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/main/java/com/google/crypto/tink/integration/awskms/AwsKmsClient.java b/src/main/java/com/google/crypto/tink/integration/awskms/AwsKmsClient.java
@@ -189,8 +189,14 @@ public Aead getAead(String uri) throws GeneralSecurityException {
    *
    * <p>If {@code credentialPath} is present, load the credentials from that. Otherwise use the
    * default credentials.
+   *
+   * @deprecated It is preferable to not register KMS clients. Instead, create the AwsKmsClient
+   *     yourself and call {@link getAead} to get a remote {@code Aead}. Use this {@code Aead} to
+   *     encrypt a keyset for with {@code TinkProtoKeysetFormat.serializeEncryptedKeyset}, or to
+   *     create an envelope {@code Aead} using {@code KmsEnvelopeAead.create}.
    */
-  public static void register(Optional<String> keyUri, Optional<String> credentialPath)
+  @Deprecated
+  /* OSS: public */ static void register(Optional<String> keyUri, Optional<String> credentialPath)
       throws GeneralSecurityException {
     registerWithAwsKms(keyUri, credentialPath, null);
   }