diff --git a/.github/workflows/ci_examples_java.yml b/.github/workflows/ci_examples_java.yml
index e8850e81e..9174132cc 100644
--- a/.github/workflows/ci_examples_java.yml
+++ b/.github/workflows/ci_examples_java.yml
@@ -38,7 +38,6 @@ jobs:
           macos-latest
         ]
     runs-on: ${{ matrix.os }}
-    environment: "MPL CI"
     permissions:
       id-token: write
       contents: read
@@ -51,18 +50,8 @@ jobs:
           role-session-name: DDBEC-Dafny-Java-Tests
 
       - uses: actions/checkout@v3
-
-      - name: Init Submodules
-        env:
-          # This secret is in the configured environment
-          # Token created on # 05/12/2023
-          # expires in ~30 days 05/22/2023
-          MPL_PAT: ${{ secrets.MPL_PAT }}
-        run: |
-          AUTH="$(echo -n "pat:${MPL_PAT}" | base64 | tr -d '\n')"
-          git config --global http.https://github.com/.extraheader "AUTHORIZATION: basic $AUTH"
-          git config --global --add url.https://github.com/.insteadOf git@github.com:
-          git submodule update --init --recursive submodules/MaterialProviders
+        with:
+          submodules: recursive        
 
       - name: Setup Java ${{ matrix.java-version }}
         uses: actions/setup-java@v3
diff --git a/.github/workflows/ci_test_java.yml b/.github/workflows/ci_test_java.yml
index 34f711439..aa82c44db 100644
--- a/.github/workflows/ci_test_java.yml
+++ b/.github/workflows/ci_test_java.yml
@@ -40,7 +40,6 @@ jobs:
           macos-latest
         ]
     runs-on: ${{ matrix.os }}
-    environment: "MPL CI"
     permissions:
       id-token: write
       contents: read
@@ -53,18 +52,8 @@ jobs:
           role-session-name: DDBEC-Dafny-Java-Tests
 
       - uses: actions/checkout@v3
-
-      - name: Init Submodules
-        env:
-          # This secret is in the configured environment
-          # Token created on # 05/12/2023
-          # expires in ~30 days 05/22/2023
-          MPL_PAT: ${{ secrets.MPL_PAT }}
-        run: |
-          AUTH="$(echo -n "pat:${MPL_PAT}" | base64 | tr -d '\n')"
-          git config --global http.https://github.com/.extraheader "AUTHORIZATION: basic $AUTH"
-          git config --global --add url.https://github.com/.insteadOf git@github.com:
-          git submodule update --init --recursive submodules/MaterialProviders
+        with:
+          submodules: recursive
 
       - name: Setup Dafny
         uses: dafny-lang/setup-dafny-action@v1.6.1
@@ -89,4 +78,8 @@ jobs:
       - name: Test ${{ matrix.library }}
         working-directory: ./${{ matrix.library }}
         run: |
+          # Clear MPL from cache
+          # We have to do this because MakeFile does not do this yet. The MakeFile automatically builds and deploys dependencies
+          # instead it should be picking it up from Maven.
+          rm -rf ~/.m2/repository/software/amazon/cryptography/aws-cryptographic-material-providers
           make test_java
diff --git a/.github/workflows/ci_test_net.yml b/.github/workflows/ci_test_net.yml
index 2ea6f6ede..b5dd6f205 100644
--- a/.github/workflows/ci_test_net.yml
+++ b/.github/workflows/ci_test_net.yml
@@ -40,7 +40,6 @@ jobs:
           macos-latest,
         ]
     runs-on: ${{ matrix.os }}
-    environment: "MPL CI"
     permissions:
       id-token: write
       contents: read
@@ -49,18 +48,8 @@ jobs:
       DOTNET_NOLOGO: 1
     steps:
       - uses: actions/checkout@v3
-
-      - name: Init Submodules
-        env:
-          # This secret is in the configured environment
-          # Token created on # 05/12/2023
-          # expires in ~30 days 05/22/2023
-          MPL_PAT: ${{ secrets.MPL_PAT }}
-        run: |
-          AUTH="$(echo -n "pat:${MPL_PAT}" | base64 | tr -d '\n')"
-          git config --global http.https://github.com/.extraheader "AUTHORIZATION: basic $AUTH"
-          git config --global --add url.https://github.com/.insteadOf git@github.com:
-          git submodule update --init --recursive submodules/MaterialProviders
+        with:
+          submodules: recursive        
 
       - name: Setup .NET Core SDK ${{ matrix.dotnet-version }}
         uses: actions/setup-dotnet@v3
diff --git a/.github/workflows/ci_test_vector_java.yml b/.github/workflows/ci_test_vector_java.yml
index 05c0caf09..7f26a5773 100644
--- a/.github/workflows/ci_test_vector_java.yml
+++ b/.github/workflows/ci_test_vector_java.yml
@@ -17,7 +17,6 @@ jobs:
           ubuntu-latest
         ]
     runs-on: ${{ matrix.os }}
-    environment: "MPL CI"
     permissions:
       id-token: write
       contents: read
@@ -36,17 +35,8 @@ jobs:
           role-session-name: DDBEC-Dafny-Java-Tests
 
       - uses: actions/checkout@v3
-
-      - name: Init Submodules
-        env:
-          # This secret is in the configured environment,
-          # and set to expire every 30 days
-          MPL_PAT: ${{ secrets.MPL_PAT }}
-        run: |
-          AUTH="$(echo -n "pat:${MPL_PAT}" | base64 | tr -d '\n')"
-          git config --global http.https://github.com/.extraheader "AUTHORIZATION: basic $AUTH"
-          git config --global --add url.https://github.com/.insteadOf git@github.com:
-          git submodule update --init --recursive submodules/MaterialProviders
+        with:
+          submodules: recursive
 
       - name: Setup Dafny
         uses: dafny-lang/setup-dafny-action@v1.6.1
@@ -70,4 +60,8 @@ jobs:
       - name: Test TestVectors
         working-directory: ./TestVectors
         run: |
+          # Clear MPL from cache
+          # We have to do this because MakeFile does not do this yet. The MakeFile automatically builds and deploys dependencies
+          # instead it should be picking it up from Maven.
+          rm -rf ~/.m2/repository/software/amazon/cryptography/aws-cryptographic-material-providers
           make test_java
diff --git a/.github/workflows/ci_verification.yml b/.github/workflows/ci_verification.yml
index e06e50c47..1a904961b 100644
--- a/.github/workflows/ci_verification.yml
+++ b/.github/workflows/ci_verification.yml
@@ -41,22 +41,11 @@ jobs:
           macos-latest,
         ]
     runs-on: ${{ matrix.os }}
-    environment: "MPL CI"
     steps:
       - uses: actions/checkout@v3
+        with:
+          submodules: recursive
 
-      - name: Init Submodules
-        env:
-          # This secret is in the configured environment
-          # Token created on # 05/12/2023
-          # expires in ~30 days 05/22/2023
-          MPL_PAT: ${{ secrets.MPL_PAT }}
-        run: |
-          AUTH="$(echo -n "pat:${MPL_PAT}" | base64 | tr -d '\n')"
-          git config --global http.https://github.com/.extraheader "AUTHORIZATION: basic $AUTH"
-          git config --global --add url.https://github.com/.insteadOf git@github.com:
-          git submodule update --init --recursive submodules/MaterialProviders
-      
       - name: Setup Dafny
         uses: dafny-lang/setup-dafny-action@v1.6.1
         with:
diff --git a/.gitmodules b/.gitmodules
index 2e0232298..894ca5e35 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -3,4 +3,4 @@
 	url = https://github.com/aws/aws-cryptographic-material-providers-library-java.git
 [submodule "submodules/smithy-dafny"]
 	path = submodules/smithy-dafny
-	url = git@github.com:awslabs/smithy-dafny.git
+	url = https://github.com/awslabs/smithy-dafny.git
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 000000000..a329b88d2
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,8 @@
+# Changelog
+
+## 3.0.0-preview-1 2023-06-08
+
+### Features
+- Initial release of the AWS Database Encryption SDK.
+  This release is considered a [developer preview](https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html#version-life-cycle)
+  and is not intended for production use cases.
diff --git a/DynamoDbEncryption/runtimes/java/build.gradle.kts b/DynamoDbEncryption/runtimes/java/build.gradle.kts
index 35d257243..b266fb6cf 100644
--- a/DynamoDbEncryption/runtimes/java/build.gradle.kts
+++ b/DynamoDbEncryption/runtimes/java/build.gradle.kts
@@ -7,10 +7,12 @@ plugins {
     `java`
     `java-library`
     `maven-publish`
+    `signing`
+    id("io.github.gradle-nexus.publish-plugin") version "1.3.0"
 }
 
 group = "software.amazon.cryptography"
-version = "1.0-SNAPSHOT"
+version = "3.0.0-preview-1"
 description = "Aws Database Encryption Sdk for DynamoDb Java"
 
 java {
@@ -68,7 +70,7 @@ val dynamodb by configurations.creating
 dependencies {
     implementation("org.dafny:DafnyRuntime:4.1.0")
     implementation("software.amazon.smithy.dafny:conversion:0.1")
-    implementation("software.amazon.cryptography:AwsCryptographicMaterialProviders:1.0-SNAPSHOT")
+    implementation("software.amazon.cryptography:aws-cryptographic-material-providers:1.0.0-preview-1")
 
     implementation(platform("software.amazon.awssdk:bom:2.19.1"))
     implementation("software.amazon.awssdk:dynamodb")
@@ -107,12 +109,55 @@ dependencies {
 }
 
 publishing {
+    publications.create<MavenPublication>("mavenLocal") {
+        groupId = "software.amazon.cryptography"
+        artifactId = "aws-database-encryption-sdk-dynamodb"
+        from(components["java"])
+    }
+
     publications.create<MavenPublication>("maven") {
         groupId = "software.amazon.cryptography"
         artifactId = "aws-database-encryption-sdk-dynamodb"
         from(components["java"])
+
+        // Include extra information in the POMs.
+        afterEvaluate {
+            pom {
+                name.set("AWS Database Encryption SDK for DynamoDB")
+                description.set("AWS Database Encryption SDK for DynamoDB in Java")
+                url.set("https://github.com/aws/aws-database-encryption-sdk-dynamodb-java")
+                licenses {
+                    license {
+                        name.set("Apache License 2.0")
+                        url.set("http://www.apache.org/licenses/LICENSE-2.0.txt")
+                        distribution.set("repo")
+                    }
+                }
+                developers {
+                    developer {
+                        id.set("amazonwebservices")
+                        organization.set("Amazon Web Services")
+                        organizationUrl.set("https://aws.amazon.com")
+                        roles.add("developer")
+                    }
+                }
+                scm {
+                    url.set("https://github.com/aws/aws-database-encryption-sdk-dynamodb-java.git")
+                }
+            }
+        }
+    }
+    repositories {
+        mavenLocal()
+        maven {
+            name = "StagingCodeArtifact"
+            url = URI.create("https://crypto-tools-internal-587316601012.d.codeartifact.us-east-1.amazonaws.com/maven/java-dbesdk-ddb-staging/")
+            credentials {
+                username = "aws"
+                password = System.getenv("CODEARTIFACT_TOKEN")
+            }
+        }
     }
-    repositories { mavenLocal() }
 }
 
 tasks.withType<JavaCompile>() {
@@ -185,3 +230,36 @@ tasks.javadoc {
     }
     exclude("src/main/dafny-generated")
 }
+
+nexusPublishing {
+    // We are using the nexusPublishing plugin since it is recommended by Sonatype Gradle Project configurations
+    // and it is easy to supply the creds we need to deploy
+    // https://github.com/gradle-nexus/publish-plugin/
+    repositories {
+        sonatype {
+            nexusUrl.set(uri("https://aws.oss.sonatype.org/service/local/"))
+            snapshotRepositoryUrl.set(uri("https://aws.oss.sonatype.org/content/repositories/snapshots/"))
+            username.set(System.getenv("SONA_USERNAME"))
+            password.set(System.getenv("SONA_PASSWORD"))
+        }
+    }
+}
+
+signing {
+    useGpgCmd()
+
+    // Dynamically set these properties
+    project.ext.set("signing.gnupg.executable", "gpg")
+    project.ext.set("signing.gnupg.useLegacyGpg" , "true")
+    project.ext.set("signing.gnupg.homeDir", System.getenv("HOME") + "/.gnupg/")
+    project.ext.set("signing.gnupg.optionsFile", System.getenv("HOME") + "/.gnupg/gpg.conf")
+    project.ext.set("signing.gnupg.keyName", System.getenv("GPG_KEY"))
+    project.ext.set("signing.gnupg.passphrase", System.getenv("GPG_PASS"))
+
+    // Signing is required if building a release version and if we're going to publish it.
+    // Otherwise if doing a maven publication we will sign
+    setRequired({
+        gradle.getTaskGraph().hasTask("publish")
+    })
+    sign(publishing.publications["maven"])
+}
diff --git a/Examples/runtimes/java/DynamoDbEncryption/build.gradle.kts b/Examples/runtimes/java/DynamoDbEncryption/build.gradle.kts
index 8ad911775..826901239 100644
--- a/Examples/runtimes/java/DynamoDbEncryption/build.gradle.kts
+++ b/Examples/runtimes/java/DynamoDbEncryption/build.gradle.kts
@@ -24,14 +24,14 @@ java {
 
 var caUrl: URI? = null
 @Nullable
-val caUrlStr: String? = System.getenv("CODEARTIFACT_URL_JAVA_CONVERSION")
+val caUrlStr: String? = System.getenv("CODEARTIFACT_REPO_URL")
 if (!caUrlStr.isNullOrBlank()) {
     caUrl = URI.create(caUrlStr)
 }
 
 var caPassword: String? = null
 @Nullable
-val caPasswordString: String? = System.getenv("CODEARTIFACT_AUTH_TOKEN")
+val caPasswordString: String? = System.getenv("CODEARTIFACT_TOKEN")
 if (!caPasswordString.isNullOrBlank()) {
     caPassword = caPasswordString
 }
@@ -56,8 +56,8 @@ repositories {
 }
 
 dependencies {
-    implementation("software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:1.0-SNAPSHOT")
-    implementation("software.amazon.cryptography:AwsCryptographicMaterialProviders:1.0-SNAPSHOT")
+    implementation("software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:3.0.0-preview-1")
+    implementation("software.amazon.cryptography:aws-cryptographic-material-providers:1.0.0-preview-1")
 
     implementation(platform("software.amazon.awssdk:bom:2.19.1"))
     implementation("software.amazon.awssdk:arns")
diff --git a/Examples/runtimes/java/Migration/DDBECToAWSDBE/build.gradle.kts b/Examples/runtimes/java/Migration/DDBECToAWSDBE/build.gradle.kts
index 53664239f..e009681d4 100644
--- a/Examples/runtimes/java/Migration/DDBECToAWSDBE/build.gradle.kts
+++ b/Examples/runtimes/java/Migration/DDBECToAWSDBE/build.gradle.kts
@@ -24,14 +24,14 @@ java {
 
 var caUrl: URI? = null
 @Nullable
-val caUrlStr: String? = System.getenv("CODEARTIFACT_URL_JAVA_CONVERSION")
+val caUrlStr: String? = System.getenv("CODEARTIFACT_REPO_URL")
 if (!caUrlStr.isNullOrBlank()) {
     caUrl = URI.create(caUrlStr)
 }
 
 var caPassword: String? = null
 @Nullable
-val caPasswordString: String? = System.getenv("CODEARTIFACT_AUTH_TOKEN")
+val caPasswordString: String? = System.getenv("CODEARTIFACT_TOKEN")
 if (!caPasswordString.isNullOrBlank()) {
     caPassword = caPasswordString
 }
@@ -56,8 +56,8 @@ repositories {
 }
 
 dependencies {
-    implementation("software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:1.0-SNAPSHOT")
-    implementation("software.amazon.cryptography:AwsCryptographicMaterialProviders:1.0-SNAPSHOT")
+    implementation("software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:3.0.0-preview-1")
+    implementation("software.amazon.cryptography:aws-cryptographic-material-providers:1.0.0-preview-1")
 
     implementation(platform("software.amazon.awssdk:bom:2.19.1"))
     implementation("software.amazon.awssdk:dynamodb")
diff --git a/Examples/runtimes/java/Migration/PlaintextToAWSDBE/build.gradle.kts b/Examples/runtimes/java/Migration/PlaintextToAWSDBE/build.gradle.kts
index 64e285f0c..5fd23d7c3 100644
--- a/Examples/runtimes/java/Migration/PlaintextToAWSDBE/build.gradle.kts
+++ b/Examples/runtimes/java/Migration/PlaintextToAWSDBE/build.gradle.kts
@@ -24,14 +24,14 @@ java {
 
 var caUrl: URI? = null
 @Nullable
-val caUrlStr: String? = System.getenv("CODEARTIFACT_URL_JAVA_CONVERSION")
+val caUrlStr: String? = System.getenv("CODEARTIFACT_REPO_URL")
 if (!caUrlStr.isNullOrBlank()) {
     caUrl = URI.create(caUrlStr)
 }
 
 var caPassword: String? = null
 @Nullable
-val caPasswordString: String? = System.getenv("CODEARTIFACT_AUTH_TOKEN")
+val caPasswordString: String? = System.getenv("CODEARTIFACT_TOKEN")
 if (!caPasswordString.isNullOrBlank()) {
     caPassword = caPasswordString
 }
@@ -56,8 +56,8 @@ repositories {
 }
 
 dependencies {
-    implementation("software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:1.0-SNAPSHOT")
-    implementation("software.amazon.cryptography:AwsCryptographicMaterialProviders:1.0-SNAPSHOT")
+    implementation("software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:3.0.0-preview-1")
+    implementation("software.amazon.cryptography:aws-cryptographic-material-providers:1.0.0-preview-1")
 
     implementation(platform("software.amazon.awssdk:bom:2.19.1"))
     implementation("software.amazon.awssdk:dynamodb")
diff --git a/README.md b/README.md
index 2d676bbcc..e3c19e85f 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,10 @@
 # AWS Database Encryption SDK for DynamoDB in Java
 
+Note: The AWS Cryptographic Material Providers Library is released as a
+[developer preview](https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html#version-life-cycle)
+and is subject to change.
+The current release is not intended to be used in production environments.
+
 The AWS Database Encryption SDK (DB-ESDK) for DynamoDB in Java is a client-side encryption 
 library that allows you to perform attribute-level encryption, enabling you to encrypt specific 
 attribute values within items before storing them in your DynamoDB table. All encryption and 
diff --git a/SUPPORT_POLICY.rst b/SUPPORT_POLICY.rst
index bfbaeb572..ec68f6d23 100644
--- a/SUPPORT_POLICY.rst
+++ b/SUPPORT_POLICY.rst
@@ -21,9 +21,9 @@ This table describes the current support status of each major version of the AWS
       - Current status
       - Next status
       - Next status date
-    * - 3.x
-      - General Availability
+    * - 3.0.0-preview-1
+      - Developer Preview
       -
       -
 
-.. _AWS SDKs and Tools Maintenance Policy: https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html#version-life-cycle
\ No newline at end of file
+.. _AWS SDKs and Tools Maintenance Policy: https://docs.aws.amazon.com/sdkref/latest/guide/maint-policy.html#version-life-cycle
diff --git a/SharedMakefile.mk b/SharedMakefile.mk
index 86d92845a..f7fbd3e02 100644
--- a/SharedMakefile.mk
+++ b/SharedMakefile.mk
@@ -345,7 +345,10 @@ mvn_local_deploy_dependencies:
 
 # The Java MUST all exist already through the transpile step.
 mvn_local_deploy:
-	gradle -p runtimes/java publishToMavenLocal
+	gradle -p runtimes/java publishMavenLocalPublicationToMavenLocal
+
+mvn_staging_deploy:
+	gradle -p runtimes/java publishMavenPublicationToStagingCodeArtifactRepository
 
 test_java:
     # run Dafny generated tests
diff --git a/TestVectors/runtimes/java/build.gradle.kts b/TestVectors/runtimes/java/build.gradle.kts
index ca3fa04d1..d04078934 100644
--- a/TestVectors/runtimes/java/build.gradle.kts
+++ b/TestVectors/runtimes/java/build.gradle.kts
@@ -32,6 +32,20 @@ tasks.withType<JavaCompile>() {
     options.encoding = "UTF-8"
 }
 
+var caUrl: URI? = null
+@Nullable
+val caUrlStr: String? = System.getenv("CODEARTIFACT_REPO_URL")
+if (!caUrlStr.isNullOrBlank()) {
+    caUrl = URI.create(caUrlStr)
+}
+
+var caPassword: String? = null
+@Nullable
+val caPasswordString: String? = System.getenv("CODEARTIFACT_TOKEN")
+if (!caPasswordString.isNullOrBlank()) {
+    caPassword = caPasswordString
+}
+
 repositories {
     maven {
         name = "DynamoDB Local Release Repository - US West (Oregon) Region"
@@ -39,6 +53,16 @@ repositories {
     }
     mavenCentral()
     mavenLocal()
+    if (caUrl != null && caPassword != null) {
+        maven {
+            name = "CodeArtifact"
+            url = caUrl!!
+            credentials {
+                username = "aws"
+                password = caPassword!!
+            }
+        }
+    }
 }
 
 // Configuration to hold SQLLite information.
@@ -48,12 +72,8 @@ val dynamodb by configurations.creating
 dependencies {
     implementation("org.dafny:DafnyRuntime:4.0.0")
     implementation("software.amazon.smithy.dafny:conversion:0.1")
-    implementation("software.amazon.cryptography:StandardLibrary:1.0-SNAPSHOT")
-    implementation("software.amazon.cryptography:AwsCryptographyPrimitives:1.0-SNAPSHOT")
-    implementation("software.amazon.cryptography:AwsCryptographicMaterialProviders:1.0-SNAPSHOT")
-    implementation("software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:1.0-SNAPSHOT")
-    implementation("software.amazon.cryptography:ComAmazonawsDynamodb:1.0-SNAPSHOT")
-    implementation("software.amazon.cryptography:ComAmazonawsKms:1.0-SNAPSHOT")
+    implementation("software.amazon.cryptography:aws-cryptographic-material-providers:1.0.0-preview-1")
+    implementation("software.amazon.cryptography:aws-database-encryption-sdk-dynamodb:3.0.0-preview-1")
     implementation("software.amazon.cryptography:TestAwsCryptographicMaterialProviders:1.0-SNAPSHOT")
 
     implementation(platform("software.amazon.awssdk:bom:2.19.1"))
diff --git a/cfn/CB-Staging.yml b/cfn/CB-Staging.yml
index 62738da13..95f38dd97 100644
--- a/cfn/CB-Staging.yml
+++ b/cfn/CB-Staging.yml
@@ -57,7 +57,7 @@ Resources:
         ComputeType: BUILD_GENERAL1_LARGE
         Image: "aws/codebuild/standard:5.0"
         ImagePullCredentialsType: CODEBUILD
-        PrivilegedMode: false
+        PrivilegedMode: true
         Type: LINUX_CONTAINER
       ServiceRole: !GetAtt CodeBuildServiceRoleRelease.Arn
       TimeoutInMinutes: 60
@@ -93,9 +93,33 @@ Resources:
         - !Ref CodeBuildBasePolicy
         - !Ref SecretsManagerPolicyRelease
         - !Ref ParameterStorePolicy
+        - !Ref CodeBuildCISTSAllow
         - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
         - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess"
 
+
+  CodeBuildCISTSAllow:
+    Type: "AWS::IAM::ManagedPolicy"
+    Properties:
+      ManagedPolicyName: !Sub >-
+        CodeBuildCISTSAllow-${ProjectName}
+      Path: /service-role/
+      PolicyDocument: !Sub |
+        {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Effect": "Allow",
+                  "Action": "sts:AssumeRole",
+                  "Resource": [
+                    "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2",
+                    "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-only-us-east-1-KMS-keys",
+                    "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-only-eu-west-1-KMS-keys"
+                  ]
+              }
+          ]
+        }
+
   CodeBuildBatchPolicy:
     Type: "AWS::IAM::ManagedPolicy"
     Properties:
diff --git a/cfn/CI.yaml b/cfn/CI.yaml
index fb38cbe20..26de838fe 100644
--- a/cfn/CI.yaml
+++ b/cfn/CI.yaml
@@ -319,17 +319,20 @@ Resources:
                 }
               }
             },
-            {
-              "Effect": "Allow",
-              "Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" },
-              "Action": "sts:AssumeRole"
-            },
             {
               "Effect": "Allow",
               "Principal": {
-                  "AWS": "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-MPL-Java-service-role-release"
+                "AWS": "*"
               },
-              "Action": "sts:AssumeRole"
+              "Action": "sts:AssumeRole",
+              "Condition": {
+                "StringEquals": {
+                  "aws:PrincipalArn": [
+                    "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-DBESDK-DDB-Java-service-role-release",
+                    "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment"
+                  ]
+                }
+              }
             }
           ]
         }
@@ -367,17 +370,20 @@ Resources:
                 }
               }
             },
-            {
-              "Effect": "Allow",
-              "Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" },
-              "Action": "sts:AssumeRole"
-            },
             {
               "Effect": "Allow",
               "Principal": {
-                  "AWS": "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-MPL-Java-service-role-release"
+                "AWS": "*"
               },
-              "Action": "sts:AssumeRole"
+              "Action": "sts:AssumeRole",
+              "Condition": {
+                "StringEquals": {
+                  "aws:PrincipalArn": [
+                    "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-DBESDK-DDB-Java-service-role-release",
+                    "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment"
+                  ]
+                }
+              }
             }
           ]
         }
@@ -415,17 +421,20 @@ Resources:
                 }
               }
             },
-            {
-              "Effect": "Allow",
-              "Principal": { "AWS": "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment" },
-              "Action": "sts:AssumeRole"
-            },
             {
               "Effect": "Allow",
               "Principal": {
-                  "AWS": "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-MPL-Java-service-role-release"
+                "AWS": "*"
               },
-              "Action": "sts:AssumeRole"
+              "Action": "sts:AssumeRole",
+              "Condition": {
+                "StringEquals": {
+                  "aws:PrincipalArn": [
+                    "arn:aws:iam::587316601012:role/service-role/codebuild-AWS-DBESDK-DDB-Java-service-role-release",
+                    "arn:aws:iam::${AWS::AccountId}:role/ToolsDevelopment"
+                  ]
+                }
+              }
             }
           ]
         }
diff --git a/codebuild/release/release-prod.yml b/codebuild/release/release-prod.yml
new file mode 100644
index 000000000..6248a1430
--- /dev/null
+++ b/codebuild/release/release-prod.yml
@@ -0,0 +1,64 @@
+## Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+
+version: 0.2
+
+env:
+  variables:
+    BRANCH: "main"
+  parameter-store:
+    ACCOUNT: /CodeBuild/AccountId
+  secrets-manager:
+    GPG_KEY: Maven-GPG-Keys-Release-Credentials:Keyname
+    GPG_PASS: Maven-GPG-Keys-Release-Credentials:Passphrase
+    SONA_USERNAME: Sonatype-Team-Account:Username 
+    SONA_PASSWORD: Sonatype-Team-Account:Password
+
+phases:
+  install:
+    runtime-versions:
+      java: corretto8
+    commands:
+      - cd ..
+      # Get Dafny
+      - curl https://github.com/dafny-lang/dafny/releases/download/v4.1.0/dafny-4.1.0-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Get Gradle 7.6
+      - curl https://services.gradle.org/distributions/gradle-7.6-all.zip -L -o gradle.zip
+      - unzip -qq gradle.zip && rm gradle.zip
+      - export PATH="$PWD/gradle-7.6/bin:$PATH"
+      - cd  aws-database-encryption-sdk-dynamodb-java/
+  pre_build:
+    commands:
+      - git checkout $BRANCH
+      - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys-Release --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz
+      - tar -xvf ~/mvn_gpg.tgz -C ~
+      # Create default location where GPG looks for creds and keys
+      - mkdir /root/.gnupg
+      # Add configuration options to GPG Agent
+      - printf "use-agent\npinentry-mode loopback" >> ~/mvn_gpg/gpg.conf
+      - printf "allow-loopback-pinentry" >> ~/mvn_gpg/gpg-agent.conf
+      # Add keys to GPG default location where GPG agent will look
+      - mv -v ~/mvn_gpg/* /root/.gnupg/
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+  build:
+    commands:
+      - cd DynamoDbEncryption/
+      # Build and deploy to maven local
+      - make transpile_implementation_java
+      - make transpile_test_java
+      - make mvn_local_deploy
+      - make test_java
+      # run extensive tests
+      - gradle -p runtimes/java clean
+      - gradle -p runtimes/java test
+
+      # Publish to Sonatype
+      - gradle -p runtimes/java publishMavenPublicationToSonatypeRepository closeSonatypeStagingRepository
+      - gradle -p runtimes/java findSonatypeStagingRepository releaseSonatypeStagingRepository
diff --git a/codebuild/release/release.yml b/codebuild/release/release.yml
new file mode 100644
index 000000000..9111a41cc
--- /dev/null
+++ b/codebuild/release/release.yml
@@ -0,0 +1,92 @@
+## Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+
+version: 0.2
+
+batch:
+  fast-fail: true
+  build-graph:
+
+# Release to CodeArtifact
+  - identifier: release_staging
+    buildspec: codebuild/staging/release-staging.yml
+    env:
+      variables:
+        JAVA_ENV_VERSION: corretto8
+        JAVA_NUMERIC_VERSION: 8
+      image: aws/codebuild/standard:5.0
+  
+  - identifier: validate_staging_corretto8
+    depend-on:
+        - release_staging
+    buildspec: codebuild/staging/validate-staging.yml
+    env:
+      variables:
+        JAVA_ENV_VERSION: corretto8
+        JAVA_NUMERIC_VERSION: 8
+      image: aws/codebuild/standard:5.0
+
+  - identifier: validate_staging_corretto11
+    depend-on:
+        - release_staging
+    buildspec: codebuild/staging/validate-staging.yml
+    env:
+      variables:
+        JAVA_ENV_VERSION: corretto11
+        JAVA_NUMERIC_VERSION: 11
+      image: aws/codebuild/standard:5.0
+  
+  - identifier: validate_staging_corretto17
+    depend-on:
+        - release_staging
+    buildspec: codebuild/staging/validate-staging.yml
+    env:
+      variables:
+        JAVA_ENV_VERSION: corretto17
+        JAVA_NUMERIC_VERSION: 17
+      image: aws/codebuild/standard:7.0
+  
+  - identifier: upload_to_sonatype
+    depend-on:
+      - validate_staging_corretto8
+      - validate_staging_corretto11
+      - validate_staging_corretto17
+    buildspec: codebuild/release/release-prod.yml
+    env:
+      variables:
+        JAVA_ENV_VERSION: corretto8
+        JAVA_NUMERIC_VERSION: 8
+      image: aws/codebuild/standard:5.0
+ 
+  ## The following steps are expected to fail; since maven central takes time to
+  ## update its index. For now, a manual download of the jar is needed to assert artifacts are
+  ## available. For more information, consult the MCM used for this release.
+  - identifier: validate_release_corretto8
+    depend-on:
+        - upload_to_sonatype
+    buildspec: codebuild/release/validate-release.yml
+    env:
+      variables:
+        JAVA_ENV_VERSION: corretto8
+        JAVA_NUMERIC_VERSION: 8
+      image: aws/codebuild/standard:5.0
+
+  - identifier: validate_release_corretto11
+    depend-on:
+        - upload_to_sonatype
+    buildspec: codebuild/release/validate-release.yml
+    env:
+      variables:
+        JAVA_ENV_VERSION: corretto11
+        JAVA_NUMERIC_VERSION: 11
+      image: aws/codebuild/standard:5.0
+  
+  - identifier: validate_release_corretto17
+    depend-on:
+        - upload_to_sonatype
+    buildspec: codebuild/release/validate-release.yml
+    env:
+      variables:
+        JAVA_ENV_VERSION: corretto17
+        JAVA_NUMERIC_VERSION: 17
+      image: aws/codebuild/standard:7.0
diff --git a/codebuild/release/validate-release.yml b/codebuild/release/validate-release.yml
new file mode 100644
index 000000000..0aa6e427a
--- /dev/null
+++ b/codebuild/release/validate-release.yml
@@ -0,0 +1,64 @@
+## Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+
+version: 0.2
+
+env:
+  parameter-store:
+    ACCOUNT: /CodeBuild/AccountId
+
+phases:
+  install:
+    runtime-versions:
+      java: $JAVA_ENV_VERSION
+    commands:
+      - cd ..
+      # Get Dafny
+      - curl https://github.com/dafny-lang/dafny/releases/download/v4.1.0/dafny-4.1.0-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Get Gradle 7.6
+      - curl https://services.gradle.org/distributions/gradle-7.6-all.zip -L -o gradle.zip
+      - unzip -qq gradle.zip && rm gradle.zip
+      - export PATH="$PWD/gradle-7.6/bin:$PATH"
+      - cd  aws-database-encryption-sdk-dynamodb-java/
+  pre_build:
+    commands:
+      # Get CI Creds to be able to call DBESDK TestVectors
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+  build:
+    commands:
+      # Since no CA creds were exported the jar will not be pulled down from CA.
+      # In order, gradle will look for the defined dependencies in:
+      #   - Maven Central
+      #   - Maven Local
+      #   - AWS CodeArtifact
+      # Run transpile by itself. We don't want to locally build the MPL because
+      # we want to verify that the version pulled down from maven works correctly
+      - cd submodules/MaterialProviders/TestVectorsAwsCryptographicMaterialProviders
+      - make transpile_implementation_java
+      - make transpile_test_java
+      - make mvn_local_deploy
+
+      # Run test Vectors
+      - cd ../../../TestVectors
+      # Spin up ddb local
+      - docker run --name dynamodb -d -p 8000:8000 amazon/dynamodb-local -jar DynamoDBLocal.jar -port 8000 -inMemory -cors *
+      # Run transpile by itself so we don't locally build the MPL.
+      - make transpile_implementation_java
+      - make transpile_test_java
+      - gradle -p runtimes/java runTests
+      
+      # Test Examples
+      - cd ../Examples
+      # Run Simple Examples
+      - gradle -p runtimes/java/DynamoDbEncryption test
+      # Run Migration Examples
+      - gradle -p runtimes/java/Migration/PlaintextToAWSDBE test
+      - gradle -p runtimes/java/Migration/DDBECToAWSDBE test 
+      
\ No newline at end of file
diff --git a/codebuild/staging/release-staging.yml b/codebuild/staging/release-staging.yml
new file mode 100644
index 000000000..539dac9f0
--- /dev/null
+++ b/codebuild/staging/release-staging.yml
@@ -0,0 +1,60 @@
+## Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+
+version: 0.2
+
+env:
+  variables:
+    REGION: us-east-1
+    DOMAIN: crypto-tools-internal
+    REPOSITORY: java-dbesdk-ddb-staging
+  parameter-store:
+    ACCOUNT: /CodeBuild/AccountId
+  secrets-manager:
+    GPG_KEY: Maven-GPG-Keys-Release-Credentials:Keyname
+    GPG_PASS: Maven-GPG-Keys-Release-Credentials:Passphrase
+
+phases:
+  install:
+    runtime-versions:
+      java: corretto8
+    commands:
+      - cd ..
+      # Get Dafny
+      - curl https://github.com/dafny-lang/dafny/releases/download/v4.1.0/dafny-4.1.0-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Get Gradle 7.6
+      - curl https://services.gradle.org/distributions/gradle-7.6-all.zip -L -o gradle.zip
+      - unzip -qq gradle.zip && rm gradle.zip
+      - export PATH="$PWD/gradle-7.6/bin:$PATH"
+      - cd  aws-database-encryption-sdk-dynamodb-java/
+  pre_build:
+    commands:
+      - export CODEARTIFACT_TOKEN=$(aws codeartifact get-authorization-token --domain crypto-tools-internal --domain-owner 587316601012 --region us-east-1 --query authorizationToken --output text)
+      - export CODEARTIFACT_REPO_URL=https://crypto-tools-internal-587316601012.d.codeartifact.us-east-1.amazonaws.com/maven/java-dbesdk-ddb-staging/
+      - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys-Release --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz
+      - tar -xvf ~/mvn_gpg.tgz -C ~
+      - mkdir /root/.gnupg
+      - printf "use-agent\npinentry-mode loopback" >> ~/mvn_gpg/gpg.conf
+      - printf "allow-loopback-pinentry" >> ~/mvn_gpg/gpg-agent.conf
+      - mv -v ~/mvn_gpg/* /root/.gnupg/
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+  build:
+    commands:
+      - cd DynamoDbEncryption/
+      # Build and deploy to maven local
+      - make transpile_implementation_java
+      - make transpile_test_java
+      - make mvn_local_deploy
+      - make test_java
+      # run extensive tests
+      - gradle -p runtimes/java clean
+      - gradle -p runtimes/java test
+      # Deploy to CA
+      - make mvn_staging_deploy
diff --git a/codebuild/staging/validate-staging.yml b/codebuild/staging/validate-staging.yml
new file mode 100644
index 000000000..7ee7814bc
--- /dev/null
+++ b/codebuild/staging/validate-staging.yml
@@ -0,0 +1,65 @@
+## Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+
+version: 0.2
+
+env:
+  variables:
+    REGION: us-east-1
+    DOMAIN: crypto-tools-internal
+    REPOSITORY: java-dbesdk-ddb-staging
+  parameter-store:
+    ACCOUNT: /CodeBuild/AccountId
+
+phases:
+  install:
+    runtime-versions:
+      java: $JAVA_ENV_VERSION
+    commands:
+      - cd ..
+      # Get Dafny
+      - curl https://github.com/dafny-lang/dafny/releases/download/v4.1.0/dafny-4.1.0-x64-ubuntu-20.04.zip  -L -o dafny.zip
+      - unzip -qq dafny.zip && rm dafny.zip
+      - export PATH="$PWD/dafny:$PATH"
+      # Get Gradle 7.6
+      - curl https://services.gradle.org/distributions/gradle-7.6-all.zip -L -o gradle.zip
+      - unzip -qq gradle.zip && rm gradle.zip
+      - export PATH="$PWD/gradle-7.6/bin:$PATH"
+      - cd  aws-database-encryption-sdk-dynamodb-java/
+  pre_build:
+    commands:
+      # Get published CA DBESDK jar 
+      - export CODEARTIFACT_TOKEN=$(aws codeartifact get-authorization-token --domain crypto-tools-internal --domain-owner 587316601012 --region us-east-1 --query authorizationToken --output text)
+      - export CODEARTIFACT_REPO_URL=https://crypto-tools-internal-587316601012.d.codeartifact.us-east-1.amazonaws.com/maven/java-dbesdk-ddb-staging/
+      # Get CI Creds to be able to call DBESDK TestVectors
+      - TMP_ROLE=$(aws sts assume-role --role-arn "arn:aws:iam::370957321024:role/GitHub-CI-DDBEC-Dafny-Role-us-west-2" --role-session-name "CB-TestVectorResources")
+      - export TMP_ROLE
+      - export AWS_ACCESS_KEY_ID=$(echo "${TMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+      - export AWS_SECRET_ACCESS_KEY=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+      - export AWS_SESSION_TOKEN=$(echo "${TMP_ROLE}" | jq -r '.Credentials.SessionToken')
+      - aws sts get-caller-identity
+  build:
+    commands:
+      # Run transpile by itself. We don't want to locally build the MPL because
+      # we want to verify that the version pulled down from maven works correctly
+      - cd submodules/MaterialProviders/TestVectorsAwsCryptographicMaterialProviders
+      - make transpile_implementation_java
+      - make transpile_test_java
+      - make mvn_local_deploy
+
+      # Run test Vectors
+      - cd ../../../TestVectors
+      # Spin up ddb local
+      - docker run --name dynamodb -d -p 8000:8000 amazon/dynamodb-local -jar DynamoDBLocal.jar -port 8000 -inMemory -cors *
+      # Run transpile by itself so we don't locally build the MPL.
+      - make transpile_implementation_java
+      - make transpile_test_java
+      - gradle -p runtimes/java runTests
+      
+      # Test Examples
+      - cd ../Examples
+      # Run Simple Examples
+      - gradle -p runtimes/java/DynamoDbEncryption test
+      # Run Migration Examples
+      - gradle -p runtimes/java/Migration/PlaintextToAWSDBE test
+      - gradle -p runtimes/java/Migration/DDBECToAWSDBE test 
diff --git a/submodules/MaterialProviders b/submodules/MaterialProviders
index 7d895d135..f4bfcd353 160000
--- a/submodules/MaterialProviders
+++ b/submodules/MaterialProviders
@@ -1 +1 @@
-Subproject commit 7d895d135b4f90027ad79c528e4d91d4afc6f098
+Subproject commit f4bfcd353be450359a202a937deb1c5872a9b4c5