From 72695630e0b651b4d286977ffa3cf683220c2794 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Wed, 18 Mar 2026 15:22:49 +0100 Subject: [PATCH 1/5] Add service credential rotation feature doc --- services/application-binding.html.md.erb | 36 +++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/services/application-binding.html.md.erb b/services/application-binding.html.md.erb index ffaa8106..3aa667ce 100644 --- a/services/application-binding.html.md.erb +++ b/services/application-binding.html.md.erb @@ -255,7 +255,9 @@ To update your service credentials: ### Without downtime -To update your service credentials without experiencing app downtime: +To update your service credentials without experiencing app downtime you can either employ a blue-green update scheme or use the new service credential binding rotation feature. + +#### Blue-green update 1. Start a blue-green update of the app. For more information, see [Using blue-green deployment to reduce downtime and risk](../deploy-apps/blue-green.html). Push the "Green" version of the app with the `--no-start` parameter to prevent the app from starting right away: @@ -281,6 +283,35 @@ To update your service credentials without experiencing app downtime: $ cf unbind-service YOUR-APP YOUR-SERVICE-INSTANCE +#### Service credential binding rotation + +The service credential binding rotation feature allows you to rotate credentials for a service instance without unbinding and rebinding the service instance. This feature requires the following prerequisites: + +- The Cloud Foundry platform must support at least 2 bindings per service instance. This is configured by the platform operator with the `cc.max_service_credential_bindings_per_app_service_instance` property in the Cloud Controller configuration. +- The service broker must support multiple bindings for the service offering. +- You must use at least CF CLI v8.18.0. + +To rotate credentials for an already bound service instance with no downtime: + + 1. Create an additional service binding to your service instance by running: + + 
+    $ cf bind-service YOUR-APP YOUR-SERVICE-INSTANCE --strategy multiple
+
+ + 1. Trigger a rolling update of your application. The updated application instances will only see the new credentials: + + 
+    $ cf restage YOUR-APP --strategy rolling
+
+ + 1. Once the update has been completed, you can delete the old service bindings with the `cleanup-outdated-service-bindings` command. It only keeps the newest binding and deletes the old bindings: + + 
+    $ cf cleanup-outdated-service-bindings YOUR-APP
+
+ + ## Unbind a service instance Unbinding a service removes the credentials created for your app from the [VCAP_SERVICES](../deploy-apps/environment-variable.html) environment variable. @@ -293,3 +324,6 @@ OK

You must restart or in some cases re-push your app for changes to be applied to the VCAP_SERVICES environment variable and for the app to recognize these changes.

+ +

+If there are multiple service bindings as described in [Service credential binding rotation](#service-credential-binding-rotation), make sure to use CF CLI v8.18.0 or later to unbind all service bindings.

From 309db6c71231ddc072482a6dbd834f68ea650c0c Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Thu, 19 Mar 2026 13:29:13 +0100 Subject: [PATCH 2/5] Update Service credential binding rotation prerequisites section --- services/application-binding.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/application-binding.html.md.erb b/services/application-binding.html.md.erb index 3aa667ce..87936904 100644 --- a/services/application-binding.html.md.erb +++ b/services/application-binding.html.md.erb @@ -288,7 +288,7 @@ To update your service credentials without experiencing app downtime you can eit The service credential binding rotation feature allows you to rotate credentials for a service instance without unbinding and rebinding the service instance. This feature requires the following prerequisites: - The Cloud Foundry platform must support at least 2 bindings per service instance. This is configured by the platform operator with the `cc.max_service_credential_bindings_per_app_service_instance` property in the Cloud Controller configuration. -- The service broker must support multiple bindings for the service offering. +- The service broker must support multiple bindings per service instance and application. - You must use at least CF CLI v8.18.0. To rotate credentials for an already bound service instance with no downtime: From e2e8a5091137df61645c0048d884b60b2fa6f8a2 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Fri, 20 Mar 2026 09:19:58 +0100 Subject: [PATCH 3/5] Clarify service credential binding rotation feature prerequisites --- services/application-binding.html.md.erb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/services/application-binding.html.md.erb b/services/application-binding.html.md.erb index 87936904..8d445826 100644 --- a/services/application-binding.html.md.erb +++ b/services/application-binding.html.md.erb @@ -255,7 +255,7 @@ To update your service credentials: ### Without downtime -To update your service credentials without experiencing app downtime you can either employ a blue-green update scheme or use the new service credential binding rotation feature. +To update your service credentials without experiencing app downtime you can either employ a blue-green update scheme or use the new service credential binding rotation feature in combination with `--strategy rolling`. #### Blue-green update @@ -285,11 +285,12 @@ To update your service credentials without experiencing app downtime you can eit #### Service credential binding rotation -The service credential binding rotation feature allows you to rotate credentials for a service instance without unbinding and rebinding the service instance. This feature requires the following prerequisites: +The service credential binding rotation feature allows you to rotate credentials for a service instance using a rolling re-binding. This feature requires the following prerequisites: - The Cloud Foundry platform must support at least 2 bindings per service instance. This is configured by the platform operator with the `cc.max_service_credential_bindings_per_app_service_instance` property in the Cloud Controller configuration. - The service broker must support multiple bindings per service instance and application. - You must use at least CF CLI v8.18.0. +- You must use the `--strategy rolling` update feature. To rotate credentials for an already bound service instance with no downtime: From e50f86fff46f8f82d3339ea6d778d0249f16d7e0 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Tue, 24 Mar 2026 09:11:55 +0100 Subject: [PATCH 4/5] Convert markdown link to HTML link and harmonize "cf CLI" spelling --- services/application-binding.html.md.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/application-binding.html.md.erb b/services/application-binding.html.md.erb index 8d445826..8b235e45 100644 --- a/services/application-binding.html.md.erb +++ b/services/application-binding.html.md.erb @@ -289,7 +289,7 @@ The service credential binding rotation feature allows you to rotate credentials - The Cloud Foundry platform must support at least 2 bindings per service instance. This is configured by the platform operator with the `cc.max_service_credential_bindings_per_app_service_instance` property in the Cloud Controller configuration. - The service broker must support multiple bindings per service instance and application. -- You must use at least CF CLI v8.18.0. +- You must use at least cf CLI v8.18.0. - You must use the `--strategy rolling` update feature. To rotate credentials for an already bound service instance with no downtime: @@ -327,4 +327,4 @@ OK You must restart or in some cases re-push your app for changes to be applied to the VCAP_SERVICES environment variable and for the app to recognize these changes.

-If there are multiple service bindings as described in [Service credential binding rotation](#service-credential-binding-rotation), make sure to use CF CLI v8.18.0 or later to unbind all service bindings.

+If there are multiple service bindings as described in Service credential binding rotation, make sure to use cf CLI v8.18.0 or later to unbind all service bindings.

From 74e397ab0ac94805c796a880e05701d0e1b47d77 Mon Sep 17 00:00:00 2001 From: Jochen Ehret Date: Thu, 26 Mar 2026 10:41:19 +0100 Subject: [PATCH 5/5] Mark service credential binding rotation feature as "experimental" --- services/application-binding.html.md.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/application-binding.html.md.erb b/services/application-binding.html.md.erb index 8b235e45..796305cf 100644 --- a/services/application-binding.html.md.erb +++ b/services/application-binding.html.md.erb @@ -283,7 +283,7 @@ To update your service credentials without experiencing app downtime you can eit $ cf unbind-service YOUR-APP YOUR-SERVICE-INSTANCE -#### Service credential binding rotation +#### Service credential binding rotation (experimental) The service credential binding rotation feature allows you to rotate credentials for a service instance using a rolling re-binding. This feature requires the following prerequisites: