From 72695630e0b651b4d286977ffa3cf683220c2794 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Wed, 18 Mar 2026 15:22:49 +0100 Subject: [PATCH 1/4] Add service credential rotation feature doc --- services/application-binding.html.md.erb | 36 +++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/services/application-binding.html.md.erb b/services/application-binding.html.md.erb index ffaa8106..3aa667ce 100644 --- a/services/application-binding.html.md.erb +++ b/services/application-binding.html.md.erb @@ -255,7 +255,9 @@ To update your service credentials: ### Without downtime -To update your service credentials without experiencing app downtime: +To update your service credentials without experiencing app downtime you can either employ a blue-green update scheme or use the new service credential binding rotation feature. + +#### Blue-green update 1. Start a blue-green update of the app. For more information, see [Using blue-green deployment to reduce downtime and risk](../deploy-apps/blue-green.html). Push the "Green" version of the app with the `--no-start` parameter to prevent the app from starting right away: @@ -281,6 +283,35 @@ To update your service credentials without experiencing app downtime: $ cf unbind-service YOUR-APP YOUR-SERVICE-INSTANCE +#### Service credential binding rotation + +The service credential binding rotation feature allows you to rotate credentials for a service instance without unbinding and rebinding the service instance. This feature requires the following prerequisites: + +- The Cloud Foundry platform must support at least 2 bindings per service instance. This is configured by the platform operator with the `cc.max_service_credential_bindings_per_app_service_instance` property in the Cloud Controller configuration. +- The service broker must support multiple bindings for the service offering. +- You must use at least CF CLI v8.18.0. + +To rotate credentials for an already bound service instance with no downtime: + + 1. Create an additional service binding to your service instance by running: + + 
+    $ cf bind-service YOUR-APP YOUR-SERVICE-INSTANCE --strategy multiple
+
+ + 1. Trigger a rolling update of your application. The updated application instances will only see the new credentials: + + 
+    $ cf restage YOUR-APP --strategy rolling
+
+ + 1. Once the update has been completed, you can delete the old service bindings with the `cleanup-outdated-service-bindings` command. It only keeps the newest binding and deletes the old bindings: + + 
+    $ cf cleanup-outdated-service-bindings YOUR-APP
+
+ + ## Unbind a service instance Unbinding a service removes the credentials created for your app from the [VCAP_SERVICES](../deploy-apps/environment-variable.html) environment variable. @@ -293,3 +324,6 @@ OK

You must restart or in some cases re-push your app for changes to be applied to the VCAP_SERVICES environment variable and for the app to recognize these changes.

+ +

+If there are multiple service bindings as described in [Service credential binding rotation](#service-credential-binding-rotation), make sure to use CF CLI v8.18.0 or later to unbind all service bindings.

From 309db6c71231ddc072482a6dbd834f68ea650c0c Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Thu, 19 Mar 2026 13:29:13 +0100 Subject: [PATCH 2/4] Update Service credential binding rotation prerequisites section --- services/application-binding.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/application-binding.html.md.erb b/services/application-binding.html.md.erb index 3aa667ce..87936904 100644 --- a/services/application-binding.html.md.erb +++ b/services/application-binding.html.md.erb @@ -288,7 +288,7 @@ To update your service credentials without experiencing app downtime you can eit The service credential binding rotation feature allows you to rotate credentials for a service instance without unbinding and rebinding the service instance. This feature requires the following prerequisites: - The Cloud Foundry platform must support at least 2 bindings per service instance. This is configured by the platform operator with the `cc.max_service_credential_bindings_per_app_service_instance` property in the Cloud Controller configuration. -- The service broker must support multiple bindings for the service offering. +- The service broker must support multiple bindings per service instance and application. - You must use at least CF CLI v8.18.0. To rotate credentials for an already bound service instance with no downtime: From e2e8a5091137df61645c0048d884b60b2fa6f8a2 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Fri, 20 Mar 2026 09:19:58 +0100 Subject: [PATCH 3/4] Clarify service credential binding rotation feature prerequisites --- services/application-binding.html.md.erb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/services/application-binding.html.md.erb b/services/application-binding.html.md.erb index 87936904..8d445826 100644 --- a/services/application-binding.html.md.erb +++ b/services/application-binding.html.md.erb @@ -255,7 +255,7 @@ To update your service credentials: ### Without downtime -To update your service credentials without experiencing app downtime you can either employ a blue-green update scheme or use the new service credential binding rotation feature. +To update your service credentials without experiencing app downtime you can either employ a blue-green update scheme or use the new service credential binding rotation feature in combination with `--strategy rolling`. #### Blue-green update @@ -285,11 +285,12 @@ To update your service credentials without experiencing app downtime you can eit #### Service credential binding rotation -The service credential binding rotation feature allows you to rotate credentials for a service instance without unbinding and rebinding the service instance. This feature requires the following prerequisites: +The service credential binding rotation feature allows you to rotate credentials for a service instance using a rolling re-binding. This feature requires the following prerequisites: - The Cloud Foundry platform must support at least 2 bindings per service instance. This is configured by the platform operator with the `cc.max_service_credential_bindings_per_app_service_instance` property in the Cloud Controller configuration. - The service broker must support multiple bindings per service instance and application. - You must use at least CF CLI v8.18.0. +- You must use the `--strategy rolling` update feature. To rotate credentials for an already bound service instance with no downtime: From e50f86fff46f8f82d3339ea6d778d0249f16d7e0 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Tue, 24 Mar 2026 09:11:55 +0100 Subject: [PATCH 4/4] Convert markdown link to HTML link and harmonize "cf CLI" spelling --- services/application-binding.html.md.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/application-binding.html.md.erb b/services/application-binding.html.md.erb index 8d445826..8b235e45 100644 --- a/services/application-binding.html.md.erb +++ b/services/application-binding.html.md.erb @@ -289,7 +289,7 @@ The service credential binding rotation feature allows you to rotate credentials - The Cloud Foundry platform must support at least 2 bindings per service instance. This is configured by the platform operator with the `cc.max_service_credential_bindings_per_app_service_instance` property in the Cloud Controller configuration. - The service broker must support multiple bindings per service instance and application. -- You must use at least CF CLI v8.18.0. +- You must use at least cf CLI v8.18.0. - You must use the `--strategy rolling` update feature. To rotate credentials for an already bound service instance with no downtime: @@ -327,4 +327,4 @@ OK You must restart or in some cases re-push your app for changes to be applied to the VCAP_SERVICES environment variable and for the app to recognize these changes.

-If there are multiple service bindings as described in [Service credential binding rotation](#service-credential-binding-rotation), make sure to use CF CLI v8.18.0 or later to unbind all service bindings.

+If there are multiple service bindings as described in Service credential binding rotation, make sure to use cf CLI v8.18.0 or later to unbind all service bindings.