From fc4114883a4f88f45c6a6da5a7a0a0feb1fd2c36 Mon Sep 17 00:00:00 2001
From: Juerg Wullschleger <juerg@google.com>
Date: Mon, 28 Aug 2023 09:14:26 -0700
Subject: [PATCH] Deprecate some KMS client registration functions.

PiperOrigin-RevId: 560729256
Change-Id: If7b077a78089e5e1fca7d7c7ad4af1afe3ad2723
---
 .../crypto/tink/integration/gcpkms/GcpKmsClient.java      | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsClient.java b/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsClient.java
index 5917aa4..36c9451 100644
--- a/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsClient.java
+++ b/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsClient.java
@@ -186,8 +186,14 @@ public Aead getAead(String uri) throws GeneralSecurityException {
    *
    * <p>If {@code credentialPath} is present, load the credentials from that. Otherwise use the
    * default credentials.
+   *
+   * @deprecated It is preferable to not register KMS clients. Instead, create the GcpKmsClient
+   *     yourself and call {@link getAead} to get a remote {@code Aead}. Use this {@code Aead} to
+   *     encrypt a keyset with {@code TinkProtoKeysetFormat.serializeEncryptedKeyset}, or to create
+   *     an envelope {@code Aead} using {@code KmsEnvelopeAead.create}.
    */
-  public static void register(Optional<String> keyUri, Optional<String> credentialPath)
+  @Deprecated
+  /* OSS: public */ static void register(Optional<String> keyUri, Optional<String> credentialPath)
       throws GeneralSecurityException {
     GcpKmsClient client;
     if (keyUri.isPresent()) {