aws-sdk-s3 1.176.1 → 1.208.0

data/lib/aws-sdk-s3/customizations/object.rb

@@ -358,8 +358,8 @@ module Aws
       #   {Client#complete_multipart_upload},
       #   and {Client#upload_part} can be provided.
       #
-      # @option options [Integer] :thread_count (10) The number of parallel
-      #   multipart uploads
+      # @option options [Integer] :thread_count (10) The number of parallel multipart uploads.
+      #   An additional thread is used internally for task coordination.
       #
       # @option options [Boolean] :tempfile (false) Normally read data is stored
       #   in memory when building the parts in order to complete the underlying
@@ -383,29 +383,28 @@ module Aws
       # @see Client#complete_multipart_upload
       # @see Client#upload_part
       def upload_stream(options = {}, &block)
-        uploading_options = options.dup
+        upload_opts = options.merge(bucket: bucket_name, key: key)
+        executor = DefaultExecutor.new(max_threads: upload_opts.delete(:thread_count))
         uploader = MultipartStreamUploader.new(
           client: client,
-          thread_count: uploading_options.delete(:thread_count),
-          tempfile: uploading_options.delete(:tempfile),
-          part_size: uploading_options.delete(:part_size)
+          executor: executor,
+          tempfile: upload_opts.delete(:tempfile),
+          part_size: upload_opts.delete(:part_size)
         )
         Aws::Plugins::UserAgent.metric('RESOURCE_MODEL') do
-          uploader.upload(
-            uploading_options.merge(bucket: bucket_name, key: key),
-            &block
-          )
+          uploader.upload(upload_opts, &block)
         end
+        executor.shutdown
         true
       end
+      deprecated(:upload_stream, use: 'Aws::S3::TransferManager#upload_stream', version: 'next major version')
 
       # Uploads a file from disk to the current object in S3.
       #
       #     # small files are uploaded in a single API call
       #     obj.upload_file('/path/to/file')
       #
-      # Files larger than or equal to `:multipart_threshold` are uploaded
-      # using the Amazon S3 multipart upload APIs.
+      # Files larger than or equal to `:multipart_threshold` are uploaded using the Amazon S3 multipart upload APIs.
       #
       #     # large files are automatically split into parts
       #     # and the parts are uploaded in parallel
@@ -421,74 +420,65 @@ module Aws
       # You can provide a callback to monitor progress of the upload:
       #
       #     # bytes and totals are each an array with 1 entry per part
-      #     progress = Proc.new do |bytes, totals|
-      #       puts bytes.map.with_index { |b, i| "Part #{i+1}: #{b} / #{totals[i]}"}.join(' ') + "Total: #{100.0 * bytes.sum / totals.sum }%" }
+      #     progress = proc do |bytes, totals|
+      #       puts bytes.map.with_index { |b, i| "Part #{i+1}: #{b} / #{totals[i]}"}.join(' ') + "Total: #{100.0 * bytes.sum / totals.sum }%"
       #     end
       #     obj.upload_file('/path/to/file', progress_callback: progress)
       #
-      # @param [String, Pathname, File, Tempfile] source A file on the local
-      #   file system that will be uploaded as this object. This can either be
-      #   a String or Pathname to the file, an open File object, or an open
-      #   Tempfile object. If you pass an open File or Tempfile object, then
-      #   you are responsible for closing it after the upload completes. When
-      #   using an open Tempfile, rewind it before uploading or else the object
+      # @param [String, Pathname, File, Tempfile] source A file on the local file system that will be uploaded as
+      #   this object. This can either be a String or Pathname to the file, an open File object, or an open
+      #   Tempfile object. If you pass an open File or Tempfile object, then you are responsible for closing it
+      #   after the upload completes. When using an open Tempfile, rewind it before uploading or else the object
       #   will be empty.
       #
       # @param [Hash] options
-      #   Additional options for {Client#put_object}
-      #   when file sizes below the multipart threshold. For files larger than
-      #   the multipart threshold, options for {Client#create_multipart_upload},
-      #   {Client#complete_multipart_upload},
-      #   and {Client#upload_part} can be provided.
+      #   Additional options for {Client#put_object} when file sizes below the multipart threshold.
+      #   For files larger than the multipart threshold, options for {Client#create_multipart_upload},
+      #   {Client#complete_multipart_upload}, and {Client#upload_part} can be provided.
       #
-      # @option options [Integer] :multipart_threshold (104857600) Files larger
-      #   than or equal to `:multipart_threshold` are uploaded using the S3
-      #   multipart APIs.
-      #   Default threshold is 100MB.
+      # @option options [Integer] :multipart_threshold (104857600) Files larger han or equal to
+      #  `:multipart_threshold` are uploaded using the S3 multipart APIs. Default threshold is 100MB.
       #
-      # @option options [Integer] :thread_count (10) The number of parallel
-      #   multipart uploads. This option is not used if the file is smaller than
-      #   `:multipart_threshold`.
+      # @option options [Integer] :thread_count (10) The number of parallel multipart uploads.
+      #    This option is not used if the file is smaller than `:multipart_threshold`.
       #
       # @option options [Proc] :progress_callback
       #   A Proc that will be called when each chunk of the upload is sent.
       #   It will be invoked with [bytes_read], [total_sizes]
       #
-      # @raise [MultipartUploadError] If an object is being uploaded in
-      #   parts, and the upload can not be completed, then the upload is
-      #   aborted and this error is raised.  The raised error has a `#errors`
-      #   method that returns the failures that caused the upload to be
-      #   aborted.
+      # @raise [MultipartUploadError] If an object is being uploaded in parts, and the upload can not be completed,
+      #   then the upload is aborted and this error is raised.  The raised error has a `#errors` method that
+      #   returns the failures that caused the upload to be aborted.
       #
-      # @return [Boolean] Returns `true` when the object is uploaded
-      #   without any errors.
+      # @return [Boolean] Returns `true` when the object is uploaded without any errors.
       #
       # @see Client#put_object
       # @see Client#create_multipart_upload
       # @see Client#complete_multipart_upload
       # @see Client#upload_part
       def upload_file(source, options = {})
-        uploading_options = options.dup
+        upload_opts = options.merge(bucket: bucket_name, key: key)
+        executor = DefaultExecutor.new(max_threads: upload_opts.delete(:thread_count))
         uploader = FileUploader.new(
-          multipart_threshold: uploading_options.delete(:multipart_threshold),
-          client: client
+          client: client,
+          executor: executor,
+          multipart_threshold: upload_opts.delete(:multipart_threshold)
         )
         response = Aws::Plugins::UserAgent.metric('RESOURCE_MODEL') do
-          uploader.upload(
-            source,
-            uploading_options.merge(bucket: bucket_name, key: key)
-          )
+          uploader.upload(source, upload_opts)
         end
         yield response if block_given?
+        executor.shutdown
         true
       end
+      deprecated(:upload_file, use: 'Aws::S3::TransferManager#upload_file', version: 'next major version')
 
       # Downloads a file in S3 to a path on disk.
       #
       #     # small files (< 5MB) are downloaded in a single API call
       #     obj.download_file('/path/to/file')
       #
-      # Files larger than 5MB are downloaded using multipart method
+      # Files larger than 5MB are downloaded using multipart method:
       #
       #     # large files are split into parts
       #     # and the parts are downloaded in parallel
@@ -498,67 +488,67 @@ module Aws
       #
       #     # bytes and part_sizes are each an array with 1 entry per part
       #     # part_sizes may not be known until the first bytes are retrieved
-      #     progress = Proc.new do |bytes, part_sizes, file_size|
-      #       puts bytes.map.with_index { |b, i| "Part #{i+1}: #{b} / #{part_sizes[i]}"}.join(' ') + "Total: #{100.0 * bytes.sum / file_size}%" }
+      #     progress = proc do |bytes, part_sizes, file_size|
+      #       puts bytes.map.with_index { |b, i| "Part #{i + 1}: #{b} / #{part_sizes[i]}" }.join(' ') + "Total: #{100.0 * bytes.sum / file_size}%"
       #     end
       #     obj.download_file('/path/to/file', progress_callback: progress)
       #
-      # @param [String] destination Where to download the file to.
+      # @param [String, Pathname, File, Tempfile] destination
+      #   Where to download the file to. This can either be a String or Pathname to the file, an open File object,
+      #   or an open Tempfile object. If you pass an open File or Tempfile object, then you are responsible for
+      #   closing it after the download completes. Download behavior varies by destination type:
+      #
+      #   * **String/Pathname paths**: Downloads to a temporary file first, then atomically moves to the final
+      #    destination. This prevents corruption of any existing file if the download fails.
+      #   * **File/Tempfile objects**: Downloads directly to the file object without using temporary files.
+      #    You are responsible for managing the file object's state and closing it after the download completes.
+      #    If the download fails, the file object may contain partial data.
       #
       # @param [Hash] options
-      #   Additional options for {Client#get_object} and #{Client#head_object}
-      #   may be provided.
+      #   Additional options for {Client#get_object} and #{Client#head_object} may be provided.
       #
-      # @option options [String] mode `auto`, `single_request`, `get_range`
-      #  `single_request` mode forces only 1 GET request is made in download,
-      #  `get_range` mode allows `chunk_size` parameter to configured in
-      #  customizing each range size in multipart_download,
-      #  By default, `auto` mode is enabled, which performs multipart_download
+      # @option options [String] :mode ("auto") `"auto"`, `"single_request"` or `"get_range"`
       #
-      # @option options [Integer] chunk_size required in get_range mode.
+      #  * `auto` mode is enabled by default,  which performs `multipart_download`
+      #  * `"single_request`" mode forces only 1 GET request is made in download
+      #  * `"get_range"` mode requires `:chunk_size` parameter to configured in customizing each range size
       #
-      # @option options [Integer] thread_count (10) Customize threads used in
-      #   the multipart download.
+      # @option options [Integer] :chunk_size required in `"get_range"` mode.
       #
-      # @option options [String] version_id The object version id used to
-      #   retrieve the object. For more about object versioning, see:
-      #   https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectVersioning.html
+      # @option options [Integer] :thread_count (10) Customize threads used in the multipart download.
       #
-      # @option options [String] checksum_mode (ENABLED) When `ENABLED` and
-      #   the object has a stored checksum, it will be used to validate the
-      #   download and will raise an `Aws::Errors::ChecksumError` if
-      #   checksum validation fails. You may provide a `on_checksum_validated`
-      #   callback if you need to verify that validation occurred and which
-      #   algorithm was used.  To disable checksum validation, set
-      #   `checksum_mode` to "DISABLED".
+      # @option options [String] :checksum_mode ("ENABLED")
+      #   This option is deprecated. Use `:response_checksum_validation` on your S3 client instead.
+      #   To disable checksum validation, set `response_checksum_validation: 'when_required'`
+      #   when creating your S3 client.
       #
-      # @option options [Callable] on_checksum_validated Called each time a
-      #   request's checksum is validated with the checksum algorithm and the
-      #   response.  For multipart downloads, this will be called for each
-      #   part that is downloaded and validated.
+      # @option options [Callable] :on_checksum_validated
+      #   Called each time a request's checksum is validated with the checksum algorithm and the
+      #   response.  For multipart downloads, this will be called for each part that is downloaded and validated.
       #
       # @option options [Proc] :progress_callback
-      #   A Proc that will be called when each chunk of the download is received.
-      #   It will be invoked with [bytes_read], [part_sizes], file_size.
-      #   When the object is downloaded as parts (rather than by ranges), the
-      #   part_sizes will not be known ahead of time and will be nil in the
-      #   callback until the first bytes in the part are received.
+      #   A Proc that will be called when each chunk of the download is received. It will be invoked with
+      #   `bytes_read`, `part_sizes`, `file_size`. When the object is downloaded as parts (rather than by ranges),
+      #   the `part_sizes` will not be known ahead of time and will be `nil` in the callback until the first bytes
+      #   in the part are received.
+      #
+      # @raise [MultipartDownloadError] Raised when an object validation fails outside of service errors.
       #
-      # @return [Boolean] Returns `true` when the file is downloaded without
-      #   any errors.
+      # @return [Boolean] Returns `true` when the file is downloaded without any errors.
       #
       # @see Client#get_object
       # @see Client#head_object
       def download_file(destination, options = {})
-        downloader = FileDownloader.new(client: client)
+        download_opts = options.merge(bucket: bucket_name, key: key)
+        executor = DefaultExecutor.new(max_threads: download_opts.delete([:thread_count]))
+        downloader = FileDownloader.new(client: client, executor: executor)
         Aws::Plugins::UserAgent.metric('RESOURCE_MODEL') do
-          downloader.download(
-            destination,
-            options.merge(bucket: bucket_name, key: key)
-          )
+          downloader.download(destination, download_opts)
         end
+        executor.shutdown
         true
       end
+      deprecated(:download_file, use: 'Aws::S3::TransferManager#download_file', version: 'next major version')
 
       class Collection < Aws::Resources::Collection
         alias_method :delete, :batch_delete!

data/lib/aws-sdk-s3/customizations.rb

@@ -6,10 +6,13 @@ module Aws
     autoload :BucketRegionCache, 'aws-sdk-s3/bucket_region_cache'
     autoload :Encryption, 'aws-sdk-s3/encryption'
     autoload :EncryptionV2, 'aws-sdk-s3/encryption_v2'
+    autoload :EncryptionV3, 'aws-sdk-s3/encryption_v3'
     autoload :FilePart, 'aws-sdk-s3/file_part'
+    autoload :DefaultExecutor, 'aws-sdk-s3/default_executor'
     autoload :FileUploader, 'aws-sdk-s3/file_uploader'
     autoload :FileDownloader, 'aws-sdk-s3/file_downloader'
     autoload :LegacySigner, 'aws-sdk-s3/legacy_signer'
+    autoload :MultipartDownloadError, 'aws-sdk-s3/multipart_download_error'
     autoload :MultipartFileUploader, 'aws-sdk-s3/multipart_file_uploader'
     autoload :MultipartStreamUploader, 'aws-sdk-s3/multipart_stream_uploader'
     autoload :MultipartUploadError, 'aws-sdk-s3/multipart_upload_error'
@@ -17,13 +20,13 @@ module Aws
     autoload :ObjectMultipartCopier, 'aws-sdk-s3/object_multipart_copier'
     autoload :PresignedPost, 'aws-sdk-s3/presigned_post'
     autoload :Presigner, 'aws-sdk-s3/presigner'
+    autoload :TransferManager, 'aws-sdk-s3/transfer_manager'
 
     # s3 express session auth
     autoload :ExpressCredentials, 'aws-sdk-s3/express_credentials'
     autoload :ExpressCredentialsProvider, 'aws-sdk-s3/express_credentials_provider'
 
     # s3 access grants auth
-
     autoload :AccessGrantsCredentials, 'aws-sdk-s3/access_grants_credentials'
     autoload :AccessGrantsCredentialsProvider, 'aws-sdk-s3/access_grants_credentials_provider'
   end

data/lib/aws-sdk-s3/default_executor.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    # @api private
+    class DefaultExecutor
+      DEFAULT_MAX_THREADS = 10
+      RUNNING = :running
+      SHUTTING_DOWN = :shutting_down
+      SHUTDOWN = :shutdown
+
+      def initialize(options = {})
+        @max_threads = options[:max_threads] || DEFAULT_MAX_THREADS
+        @state = RUNNING
+        @queue = Queue.new
+        @pool = []
+        @mutex = Mutex.new
+      end
+
+      # Submits a task for execution.
+      # @param [Object] args Variable number of arguments to pass to the block
+      # @param [Proc] block The block to be executed
+      # @return [Boolean] Returns true if the task was submitted successfully
+      def post(*args, &block)
+        @mutex.synchronize do
+          raise 'Executor has been shutdown and is no longer accepting tasks' unless @state == RUNNING
+
+          @queue << [args, block]
+          ensure_worker_available
+        end
+        true
+      end
+
+      # Immediately terminates all worker threads and clears pending tasks.
+      # This is a forceful shutdown that doesn't wait for running tasks to complete.
+      #
+      # @return [Boolean] true when termination is complete
+      def kill
+        @mutex.synchronize do
+          @state = SHUTDOWN
+          @pool.each(&:kill)
+          @pool.clear
+          @queue.clear
+        end
+        true
+      end
+
+      # Gracefully shuts down the executor, optionally with a timeout.
+      # Stops accepting new tasks and waits for running tasks to complete.
+      #
+      # @param timeout [Numeric, nil] Maximum time in seconds to wait for shutdown.
+      #   If nil, waits indefinitely. If timeout expires, remaining threads are killed.
+      # @return [Boolean] true when shutdown is complete
+      def shutdown(timeout = nil)
+        @mutex.synchronize do
+          return true if @state == SHUTDOWN
+
+          @state = SHUTTING_DOWN
+          @pool.size.times { @queue << :shutdown }
+        end
+
+        if timeout
+          deadline = Time.now + timeout
+          @pool.each do |thread|
+            remaining = deadline - Time.now
+            break if remaining <= 0
+
+            thread.join([remaining, 0].max)
+          end
+          @pool.select(&:alive?).each(&:kill)
+        else
+          @pool.each(&:join)
+        end
+
+        @mutex.synchronize do
+          @pool.clear
+          @state = SHUTDOWN
+        end
+        true
+      end
+
+      private
+
+      def ensure_worker_available
+        return unless @state == RUNNING
+
+        @pool.select!(&:alive?)
+        @pool << spawn_worker if @pool.size < @max_threads
+      end
+
+      def spawn_worker
+        Thread.new do
+          while (job = @queue.shift)
+            break if job == :shutdown
+
+            args, block = job
+            block.call(*args)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/encryption/client.rb

@@ -6,9 +6,9 @@ module Aws
   module S3
 
     # [MAINTENANCE MODE] There is a new version of the Encryption Client.
-    # AWS strongly recommends upgrading to the {Aws::S3::EncryptionV2::Client},
+    # AWS strongly recommends upgrading to the {Aws::S3::EncryptionV3::Client},
     # which provides updated data security best practices.
-    # See documentation for {Aws::S3::EncryptionV2::Client}.
+    # See documentation for {Aws::S3::EncryptionV3::Client}.
     # Provides an encryption client that encrypts and decrypts data client-side,
     # storing the encrypted data in Amazon S3.
     #

data/lib/aws-sdk-s3/encryption/default_cipher_provider.rb

@@ -16,6 +16,8 @@ module Aws
         #   envelope and encryption cipher.
         def encryption_cipher
           cipher = Utils.aes_encryption_cipher(:CBC)
+          ##= ../specification/s3-encryption/data-format/content-metadata.md#algorithm-suite-and-message-format-version-compatibility
+          ##% Objects encrypted with ALG_AES_256_CBC_IV16_NO_KDF MAY use either the V1 or V2 message format version.
           envelope = {
             'x-amz-key' => encode64(encrypt(envelope_key(cipher))),
             'x-amz-iv' => encode64(envelope_iv(cipher)),

data/lib/aws-sdk-s3/encryption/encrypt_handler.rb

@@ -38,6 +38,8 @@ module Aws
           io = StringIO.new(io) if String === io
           context.params[:body] = IOEncrypter.new(cipher, io)
           context.params[:metadata] ||= {}
+          ##= ../specification/s3-encryption/data-format/content-metadata.md#content-metadata-mapkeys
+          ##% - The mapkey "x-amz-unencrypted-content-length" SHOULD be present for V1 format objects.
           context.params[:metadata]['x-amz-unencrypted-content-length'] = io.size
           if context.params.delete(:content_md5)
             warn('Setting content_md5 on client side encrypted objects is deprecated')

data/lib/aws-sdk-s3/encryption/kms_cipher_provider.rb

@@ -26,6 +26,8 @@ module Aws
           end
           cipher = Utils.aes_encryption_cipher(:CBC)
           cipher.key = key_data.plaintext
+          ##= ../specification/s3-encryption/data-format/content-metadata.md#algorithm-suite-and-message-format-version-compatibility
+          ##% Objects encrypted with ALG_AES_256_CBC_IV16_NO_KDF MAY use either the V1 or V2 message format version.
           envelope = {
             'x-amz-key-v2' => encode64(key_data.ciphertext_blob),
             'x-amz-iv' => encode64(cipher.iv = cipher.random_iv),

data/lib/aws-sdk-s3/encryptionV2/client.rb

@@ -5,9 +5,17 @@ require 'forwardable'
 module Aws
   module S3
 
-    REQUIRED_PARAMS = [:key_wrap_schema, :content_encryption_schema, :security_profile]
-    SUPPORTED_SECURITY_PROFILES = [:v2, :v2_and_legacy]
+    REQUIRED_PARAMS = [:key_wrap_schema, :content_encryption_schema, :security_profile].freeze
+    SUPPORTED_SECURITY_PROFILES = [:v2, :v2_and_legacy].freeze
+    SUPPORTED_COMMITMENT_POLICIES = [:forbid_encrypt_allow_decrypt].freeze
 
+    # [MAINTENANCE MODE] There is a new version of the Encryption Client.
+    # AWS strongly recommends upgrading to the {Aws::S3::EncryptionV3::Client},
+    # which provides updated data security best practices.
+    # For migration guidance, see: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-encryption-migration-v2-v3.html
+    # Provides an encryption client that encrypts and decrypts data client-side,
+    # storing the encrypted data in Amazon S3.
+    # 
     # Provides an encryption client that encrypts and decrypts data client-side,
     # storing the encrypted data in Amazon S3.  The `EncryptionV2::Client` (V2 Client)
     # provides improved security over the `Encryption::Client` (V1 Client)
@@ -307,15 +315,29 @@ module Aws
         # @option options [KMS::Client] :kms_client A default {KMS::Client}
         #   is constructed when using KMS to manage encryption keys.
         #
+        # @option options [Symbol] :commitment_policy (nil)
+        #   Optional parameter for migration from V2 to V3. When set to
+        #   :forbid_encrypt_allow_decrypt, this explicitly indicates you are
+        #   maintaining V2 encryption behavior while preparing for migration.
+        #   This allows the V2 client to decrypt V3-encrypted objects while
+        #   continuing to encrypt new objects using V2 algorithms.
+        #   Only :forbid_encrypt_allow_decrypt is supported.
+        #   For migration guidance, see: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-encryption-migration-v2-v3.html
+        #
         def initialize(options = {})
           validate_params(options)
           @client = extract_client(options)
-          @cipher_provider = cipher_provider(options)
+          @cipher_provider = build_cipher_provider(options)
+          @key_provider = @cipher_provider.key_provider if @cipher_provider.is_a?(DefaultCipherProvider)
           @envelope_location = extract_location(options)
           @instruction_file_suffix = extract_suffix(options)
           @kms_allow_decrypt_with_any_cmk =
             options[:kms_key_id] == :kms_allow_decrypt_with_any_cmk
           @security_profile = extract_security_profile(options)
+          @commitment_policy = extract_commitment_policy(options)
+          # The v3 cipher is only used for decrypt.
+          # Therefore any configured v2 `content_encryption_schema` is going to be incorrect.
+          @v3_cipher_provider = build_v3_cipher_provider_for_decrypt(options.reject { |k, _| k == :content_encryption_schema })
         end
 
         # @return [S3::Client]
@@ -341,6 +363,11 @@ module Aws
         #   by this string.
         attr_reader :instruction_file_suffix
 
+        # @return [Symbol, nil] Optional commitment policy for V2 to V3 migration.
+        #   When set to :forbid_encrypt_allow_decrypt, explicitly indicates
+        #   maintaining V2 encryption behavior while preparing for migration.
+        attr_reader :commitment_policy
+
         # Uploads an object to Amazon S3, encrypting data client-side.
         # See {S3::Client#put_object} for documentation on accepted
         # request parameters.
@@ -410,6 +437,7 @@ module Aws
           req.handlers.add(DecryptHandler)
           req.context[:encryption] = {
             cipher_provider: @cipher_provider,
+            v3_cipher_provider: @v3_cipher_provider,
             envelope_location: envelope_location,
             instruction_file_suffix: instruction_file_suffix,
             kms_encryption_context: kms_encryption_context,
@@ -423,6 +451,50 @@ module Aws
 
         private
 
+        def build_cipher_provider(options)
+          if options[:kms_key_id]
+            KmsCipherProvider.new(
+              kms_key_id: options[:kms_key_id],
+              kms_client: kms_client(options),
+              key_wrap_schema: options[:key_wrap_schema],
+              content_encryption_schema: options[:content_encryption_schema]
+            )
+          else
+            key_provider = extract_key_provider(options)
+            DefaultCipherProvider.new(
+              key_provider: key_provider,
+              key_wrap_schema: options[:key_wrap_schema],
+              content_encryption_schema: options[:content_encryption_schema]
+            )
+          end
+        end
+
+        def build_v3_cipher_provider_for_decrypt(options)
+          if options[:kms_key_id]
+            Aws::S3::EncryptionV3::KmsCipherProvider.new(
+              kms_key_id: options[:kms_key_id],
+              kms_client: kms_client(options),
+              key_wrap_schema: options[:key_wrap_schema],
+              content_encryption_schema: options[:content_encryption_schema]
+            )
+          else
+            # Create V3 key provider explicitly for proper namespace consistency
+            key_provider = if options[:key_provider]
+              options[:key_provider]
+            elsif options[:encryption_key]
+              Aws::S3::EncryptionV3::DefaultKeyProvider.new(options)
+            else
+              msg = 'you must pass a :kms_key_id, :key_provider, or :encryption_key'
+              raise ArgumentError, msg
+            end
+            Aws::S3::EncryptionV3::DefaultCipherProvider.new(
+              key_provider: key_provider,
+              key_wrap_schema: options[:key_wrap_schema],
+              content_encryption_schema: options[:content_encryption_schema]
+            )
+          end
+        end
+
         # Validate required parameters exist and don't conflict.
         # The cek_alg and wrap_alg are passed on to the CipherProviders
         # and further validated there
@@ -452,36 +524,19 @@ module Aws
             options.delete(:encryption_key)
             options.delete(:envelope_location)
             options.delete(:instruction_file_suffix)
+            options.delete(:commitment_policy)
             REQUIRED_PARAMS.each { |p| options.delete(p) }
             S3::Client.new(options)
           end
         end
 
         def kms_client(options)
-          options[:kms_client] || begin
+          options[:kms_client] || (@kms_client ||=
             KMS::Client.new(
               region: @client.config.region,
               credentials: @client.config.credentials,
               )
-          end
-        end
-
-        def cipher_provider(options)
-          if options[:kms_key_id]
-            KmsCipherProvider.new(
-              kms_key_id: options[:kms_key_id],
-              kms_client: kms_client(options),
-              key_wrap_schema: options[:key_wrap_schema],
-              content_encryption_schema: options[:content_encryption_schema]
-            )
-          else
-            @key_provider = extract_key_provider(options)
-            DefaultCipherProvider.new(
-              key_provider: @key_provider,
-              key_wrap_schema: options[:key_wrap_schema],
-              content_encryption_schema: options[:content_encryption_schema]
-            )
-          end
+          )
         end
 
         def extract_key_provider(options)
@@ -564,7 +619,27 @@ module Aws
           end
           security_profile
         end
+
+        def extract_commitment_policy(options)
+          validate_commitment_policy(options[:commitment_policy])
+        end
+
+        def validate_commitment_policy(commitment_policy)
+          return nil if commitment_policy.nil?
+
+          unless SUPPORTED_COMMITMENT_POLICIES.include? commitment_policy
+            raise ArgumentError, "Unsupported commitment policy: :#{commitment_policy}. " \
+            "The V2 client only supports :forbid_encrypt_allow_decrypt for migration purposes. " \
+            "For migration guidance, see: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/s3-encryption-migration-v2-v3.html"
+          end
+          commitment_policy
+        end
       end
     end
   end
 end
+
+##= ../specification/s3-encryption/data-format/content-metadata.md#v1-v2-shared
+##= type=exception
+##= reason=This has never been supported in Ruby
+##% This string MAY be encoded by the esoteric double-encoding scheme used by the S3 web server.