aws
diff --git a/‎releases/rust/db_esdk/Cargo.toml
+11-8 b/‎releases/rust/db_esdk/Cargo.toml
+11-8
diff --git a/‎releases/rust/db_esdk/dafny_runtime_rust/Cargo.toml
-2 b/‎releases/rust/db_esdk/dafny_runtime_rust/Cargo.toml
-2
diff --git a/‎releases/rust/db_esdk/examples/basic_get_put_example.rs
+10-15 b/‎releases/rust/db_esdk/examples/basic_get_put_example.rs
+10-15
diff --git a/‎releases/rust/db_esdk/examples/clientsupplier/client_supplier_example.rs
+16-26 b/‎releases/rust/db_esdk/examples/clientsupplier/client_supplier_example.rs
+16-26
diff --git a/‎releases/rust/db_esdk/examples/clientsupplier/regional_role_client_supplier.rs
+11-53 b/‎releases/rust/db_esdk/examples/clientsupplier/regional_role_client_supplier.rs
+11-53
diff --git a/‎releases/rust/db_esdk/examples/create_keystore_key.rs
+5-6 b/‎releases/rust/db_esdk/examples/create_keystore_key.rs
+5-6
@@ -2,19 +2,25 @@
 name = "aws-db-esdk"
 version = "0.1.0"
 edition = "2021"
+rust-version = "1.80.0"
+keywords = ["crypto", "cryptography", "security", "dynamodb", "ddb", "encryption", "client-side", "clientside"]
+license = "ISC AND (Apache-2.0 OR ISC)"
+description = "aws-db-esdk is a library for implementing client side encryption with DynamoDB."
+homepage = "https://github.com/aws/aws-database-encryption-sdk-dynamodb/tree/main/releases/rust/db_esdk"
+repository = "https://github.com/aws/aws-database-encryption-sdk-dynamodb/tree/main/releases/rust/db_esdk"
+authors = ["AWS-CryptoTools"]
+documentation = "https://docs.rs/crate/aws-db-esdk"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
 aws-config = "1.5.6"
 aws-lc-rs = "1.9.0"
-aws-lc-sys = "0.21.1"
-aws-sdk-dynamodb = "1.45.0"
-aws-sdk-kms = "1.43.0"
-aws-smithy-runtime = {version = "1.7.1", features = ["client"] }
+aws-lc-sys = "0.21.2"
+aws-sdk-dynamodb = "1.47.0"
+aws-sdk-kms = "1.44.0"
 aws-smithy-runtime-api = {version = "1.7.2", features = ["client"] }
 aws-smithy-types = "1.2.6"
-aws-types = "1.3.3"
 chrono = "0.4.38"
 dafny_runtime = { path = "dafny_runtime_rust"}
 dashmap = "6.1.0"
@@ -24,6 +30,3 @@ uuid = { version = "1.10.0", features = ["v4"] }
 
 [lib]
 path = "src/implementation_from_dafny.rs"
-
-[dev-dependencies]
-aws-sdk-sts = "1.43.0"
 
@@ -5,7 +5,5 @@ edition = "2021"
 
 [dependencies]
 once_cell = "1.18.0"
-paste = "1.0"
 num = "0.4"
 itertools = "0.11.0"
-as-any = "0.3.1"
@@ -28,22 +28,21 @@ use aws_db_esdk::types::dynamo_db_tables_encryption_config::DynamoDbTablesEncryp
    - Sort key is named "sort_key" with type (N)
 */
 
-pub async fn put_item_get_item() {
+pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
     let kms_key_id = test_utils::TEST_KMS_KEY_ID;
     let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
 
     // 1. Create a Keyring. This Keyring will be responsible for protecting the data keys that protect your data.
     //    For this example, we will create a AWS KMS Keyring with the AWS KMS Key we want to use.
     //    We will use the `CreateMrkMultiKeyring` method to create this keyring,
     //    as it will correctly handle both single region and Multi-Region KMS Keys.
-    let provider_config = MaterialProvidersConfig::builder().build().unwrap();
-    let mat_prov = client::Client::from_conf(provider_config).unwrap();
+    let provider_config = MaterialProvidersConfig::builder().build()?;
+    let mat_prov = client::Client::from_conf(provider_config)?;
     let kms_keyring = mat_prov
         .create_aws_kms_mrk_multi_keyring()
         .generator(kms_key_id)
         .send()
-        .await
-        .unwrap();
+        .await?;
 
     // 2. Configure which attributes are encrypted and/or signed when writing new items.
     //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
@@ -108,13 +107,11 @@ pub async fn put_item_get_item() {
         .algorithm_suite_id(
             DbeAlgorithmSuiteId::AlgAes256GcmHkdfSha512CommitKeyEcdsaP384SymsigHmacSha384,
         )
-        .build()
-        .unwrap();
+        .build()?;
 
     let table_configs = DynamoDbTablesEncryptionConfig::builder()
         .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
-        .build()
-        .unwrap();
+        .build()?;
 
     // 5. Create a new AWS SDK DynamoDb client using the TableEncryptionConfigs
     let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
@@ -146,13 +143,11 @@ pub async fn put_item_get_item() {
         ),
     ]);
 
-    let _resp = ddb
-        .put_item()
+    ddb.put_item()
         .table_name(ddb_table_name)
         .set_item(Some(item.clone()))
         .send()
-        .await
-        .unwrap();
+        .await?;
 
     // 7. Get the item back from our table using the same client.
     //    The client will decrypt the item client-side, and return
@@ -176,9 +171,9 @@ pub async fn put_item_get_item() {
         // https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadConsistency.html
         .consistent_read(true)
         .send()
-        .await
-        .unwrap();
+        .await?;
 
     assert_eq!(resp.item, Some(item));
     println!("put_item_get_item successful.");
+    Ok(())
 }
@@ -32,7 +32,7 @@ use std::collections::HashMap;
    - Partition key is named "partition_key" with type (S)
    - Sort key is named "sort_key" with type (S)
 */
-pub async fn put_item_get_item() {
+pub async fn put_item_get_item() -> Result<(), crate::BoxError> {
     let ddb_table_name = test_utils::TEST_DDB_TABLE_NAME;
     // Note that we pass in an MRK in us-east-1...
     let key_arn = test_utils::TEST_MRK_REPLICA_KEY_ID_US_EAST_1.to_string();
@@ -47,24 +47,23 @@ pub async fn put_item_get_item() {
     //    2) the key must be an MRK with a replica defined
     //    in a region in the regions list, and the client
     //    must have the correct permissions to access the replica.
-    let mpl_config = MaterialProvidersConfig::builder().build().unwrap();
-    let mpl = mpl_client::Client::from_conf(mpl_config).unwrap();
+    let mpl_config = MaterialProvidersConfig::builder().build()?;
+    let mpl = mpl_client::Client::from_conf(mpl_config)?;
 
     // Create the multi-keyring using our custom client supplier
     // defined in the RegionalRoleClientSupplier class in this directory.
     // Note: RegionalRoleClientSupplier will internally use the key_arn's region
     // to retrieve the correct IAM role.
     let supplier_ref = ClientSupplierRef {
-        inner: std::rc::Rc::new(std::cell::RefCell::new(RegionalRoleClientSupplier::new())),
+        inner: std::rc::Rc::new(std::cell::RefCell::new(RegionalRoleClientSupplier {})),
     };
 
     let mrk_keyring_with_client_supplier = mpl
         .create_aws_kms_mrk_multi_keyring()
         .client_supplier(supplier_ref.clone())
         .generator(key_arn)
         .send()
-        .await
-        .unwrap();
+        .await?;
 
     // 2. Configure which attributes are encrypted and/or signed when writing new items.
     //    For each attribute that may exist on the items we plan to write to our DynamoDbTable,
@@ -116,13 +115,11 @@ pub async fn put_item_get_item() {
         .attribute_actions_on_encrypt(attribute_actions_on_encrypt.clone())
         .keyring(mrk_keyring_with_client_supplier)
         .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
-        .build()
-        .unwrap();
+        .build()?;
 
     let table_configs = DynamoDbTablesEncryptionConfig::builder()
         .table_encryption_configs(HashMap::from([(ddb_table_name.to_string(), table_config)]))
-        .build()
-        .unwrap();
+        .build()?;
 
     // 5. Create a new AWS SDK DynamoDb client using the DynamoDb Config above
     let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
@@ -149,13 +146,11 @@ pub async fn put_item_get_item() {
         ),
     ]);
 
-    let _resp = ddb
-        .put_item()
+    ddb.put_item()
         .table_name(ddb_table_name)
         .set_item(Some(item.clone()))
         .send()
-        .await
-        .unwrap();
+        .await?;
 
     // 7. Get the item back from our table using the same keyring.
     //    The client will decrypt the item client-side using the MRK
@@ -174,8 +169,7 @@ pub async fn put_item_get_item() {
         .set_key(Some(key_to_get.clone()))
         .consistent_read(true)
         .send()
-        .await
-        .unwrap();
+        .await?;
 
     assert_eq!(
         resp.item.unwrap()["sensitive_data"],
@@ -193,17 +187,15 @@ pub async fn put_item_get_item() {
     let discovery_filter = DiscoveryFilter::builder()
         .partition("aws")
         .account_ids(account_ids)
-        .build()
-        .unwrap();
+        .build()?;
 
     let mrk_discovery_client_supplier_keyring = mpl
         .create_aws_kms_mrk_discovery_multi_keyring()
         .client_supplier(supplier_ref.clone())
         .discovery_filter(discovery_filter)
         .regions(regions)
         .send()
-        .await
-        .unwrap();
+        .await?;
 
     // 9. Create a new config and client using the discovery keyring.
     //     This is the same setup as above, except we provide the discovery keyring to the config.
@@ -214,16 +206,14 @@ pub async fn put_item_get_item() {
         .attribute_actions_on_encrypt(attribute_actions_on_encrypt)
         .keyring(mrk_discovery_client_supplier_keyring)
         .allowed_unsigned_attribute_prefix(UNSIGNED_ATTR_PREFIX)
-        .build()
-        .unwrap();
+        .build()?;
 
     let only_replica_table_configs = DynamoDbTablesEncryptionConfig::builder()
         .table_encryption_configs(HashMap::from([(
             ddb_table_name.to_string(),
             only_replica_table_config,
         )]))
-        .build()
-        .unwrap();
+        .build()?;
 
     let only_replica_dynamo_config = aws_sdk_dynamodb::config::Builder::from(&sdk_config)
         .interceptor(DbEsdkInterceptor::new(only_replica_table_configs))
@@ -245,13 +235,13 @@ pub async fn put_item_get_item() {
         .set_key(Some(key_to_get))
         .consistent_read(true)
         .send()
-        .await
-        .unwrap();
+        .await?;
 
     assert_eq!(
         resp.item.unwrap()["sensitive_data"],
         AttributeValue::S("encrypt and sign me!".to_string())
     );
 
     println!("client_supplier_example successful.");
+    Ok(())
 }
@@ -3,69 +3,40 @@ use aws_db_esdk::aws_cryptography_materialProviders::types::ClientSupplier;
 use aws_db_esdk::deps::aws_cryptography_materialProviders::operation::get_client::GetClientInput;
 use aws_db_esdk::deps::aws_cryptography_materialProviders::types::error::Error;
 use aws_db_esdk::deps::com_amazonaws_kms::client::Client as kms_client;
-use aws_sdk_sts::Client as sts_client;
 
 /*
  Example class demonstrating an implementation of a custom client supplier.
  This particular implementation will create KMS clients with different IAM roles,
  depending on the region passed.
 */
 
-pub struct RegionalRoleClientSupplier {
-    sts_client: sts_client, // private readonly AmazonSecurityTokenServiceClient _stsClient = new AmazonSecurityTokenServiceClient();
-}
-
-impl RegionalRoleClientSupplier {
-    pub fn new() -> Self {
-        let sdk_config = tokio::task::block_in_place(|| {
-            tokio::runtime::Handle::current().block_on(async {
-                aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()).await
-            })
-        });
-        Self {
-            sts_client: sts_client::new(&sdk_config),
-        }
-    }
-}
+pub struct RegionalRoleClientSupplier {}
 
 impl ClientSupplier for RegionalRoleClientSupplier {
     fn get_client(&mut self, input: GetClientInput) -> Result<kms_client, Error> {
         let region = input.region.unwrap();
         let arn =
             super::regional_role_client_supplier_config::region_iam_role_map()[&region].clone();
-        let creds = tokio::task::block_in_place(|| {
+
+        use aws_config::sts::AssumeRoleProvider;
+
+        let provider = tokio::task::block_in_place(|| {
             tokio::runtime::Handle::current().block_on(async {
-                self.sts_client
-                    .assume_role()
-                    .role_arn(arn)
-                    .duration_seconds(900)
-                    .role_session_name("Rust-Client-Supplier-Example-Session")
-                    .send()
+                AssumeRoleProvider::builder(arn)
+                    .region(Region::new(region.clone()))
+                    .session_name("Rust-Client-Supplier-Example-Session")
+                    .build()
                     .await
             })
-        })
-        .unwrap();
-
-        let types_cred = creds.credentials.unwrap();
-        let config_creds = aws_sdk_sts::config::Credentials::new(
-            types_cred.access_key_id(),
-            types_cred.secret_access_key(),
-            Some(types_cred.session_token().to_string()),
-            Some(
-                std::time::SystemTime::UNIX_EPOCH
-                    + std::time::Duration::from_secs(types_cred.expiration().secs() as u64),
-            ),
-            "SomeProvider",
-        );
-        let cred_prov = aws_sdk_kms::config::SharedCredentialsProvider::new(config_creds);
+        });
 
         let sdk_config = tokio::task::block_in_place(|| {
             tokio::runtime::Handle::current().block_on(async {
                 aws_config::load_defaults(aws_config::BehaviorVersion::v2024_03_28()).await
             })
         });
         let kms_config = aws_sdk_kms::config::Builder::from(&sdk_config)
-            .credentials_provider(cred_prov)
+            .credentials_provider(provider)
             .region(Region::new(region))
             .build();
 
@@ -75,16 +46,3 @@ impl ClientSupplier for RegionalRoleClientSupplier {
         })
     }
 }
-// protected override IAmazonKeyManagementService _GetClient(GetClientInput getClientInput)
-// {
-//     String arn = _config.regionIamRoleMap[getClientInput.Region];
-//     Credentials creds = _stsClient.AssumeRoleAsync(new AssumeRoleRequest
-//     {
-//         RoleArn = arn,
-//         DurationSeconds = 900, // 15 minutes is the minimum value
-//         RoleSessionName = "Java-Client-Supplier-Example-Session"
-//     }
-//     ).Result.Credentials;
-
-//     return new AmazonKeyManagementServiceClient(creds, RegionEndpoint.GetBySystemName(getClientInput.Region));
-// }
@@ -22,7 +22,7 @@ use aws_db_esdk::aws_cryptography_keyStore::types::KmsConfiguration;
 
  This key creation should occur within your control plane.
 */
-pub async fn keystore_create_key() -> String {
+pub async fn keystore_create_key() -> Result<String, crate::BoxError> {
     let key_store_table_name = test_utils::TEST_KEYSTORE_NAME;
     let logical_key_store_name = test_utils::TEST_LOGICAL_KEYSTORE_NAME;
     let kms_key_arn = test_utils::TEST_KEYSTORE_KMS_KEY_ID;
@@ -37,15 +37,14 @@ pub async fn keystore_create_key() -> String {
         .ddb_table_name(key_store_table_name)
         .logical_key_store_name(logical_key_store_name)
         .kms_configuration(KmsConfiguration::KmsKeyArn(kms_key_arn.to_string()))
-        .build()
-        .unwrap();
+        .build()?;
 
-    let keystore = keystore_client::Client::from_conf(key_store_config).unwrap();
+    let keystore = keystore_client::Client::from_conf(key_store_config)?;
 
     // 2. Create a new branch key and beacon key in our KeyStore.
     //    Both the branch key and the beacon key will share an Id.
     //    This creation is eventually consistent.
 
-    let new_key = keystore.create_key().send().await.unwrap();
-    new_key.branch_key_identifier.unwrap()
+    let new_key = keystore.create_key().send().await?;
+    Ok(new_key.branch_key_identifier.unwrap())
 }