Deprecate some KMS client registration functions.

juergw · copybara-github · commit bcb619604da7 · 2023-08-28T09:15:40.000-07:00
PiperOrigin-RevId: 560729256
Change-Id: I8f5bb983fafb46ec239a0dbab927cc4a801f3578
diff --git a/src/main/java/com/google/crypto/tink/integration/awskms/AwsKmsClient.java b/src/main/java/com/google/crypto/tink/integration/awskms/AwsKmsClient.java
@@ -189,8 +189,14 @@ public Aead getAead(String uri) throws GeneralSecurityException {
    *
    * <p>If {@code credentialPath} is present, load the credentials from that. Otherwise use the
    * default credentials.
+   *
+   * @deprecated It is preferable to not register KMS clients. Instead, create the AwsKmsClient
+   *     yourself and call {@link getAead} to get a remote {@code Aead}. Use this {@code Aead} to
+   *     encrypt a keyset for with {@code TinkProtoKeysetFormat.serializeEncryptedKeyset}, or to
+   *     create an envelope {@code Aead} using {@code KmsEnvelopeAead.create}.
    */
-  public static void register(Optional<String> keyUri, Optional<String> credentialPath)
+  @Deprecated
+  /* OSS: public */ static void register(Optional<String> keyUri, Optional<String> credentialPath)
       throws GeneralSecurityException {
     registerWithAwsKms(keyUri, credentialPath, null);
   }
