Sharing Service Instances (Experimental)
Page last updated:
WARNING: This feature is experimental and may be removed at any time without notice. Use at your own risk.
Sharing a service instance between spaces, allows applications in different spaces to share databases,
messaging queues and many other types of services. This eliminates the need for
development teams to use service keys and user-provided services in order to bind
their applications to the same service instance that was provisioned through
This provides improved security, auditing, and a more intuitive user experience.
For example, if two development teams have applications in their own spaces, and both of those applications want to send messages to each other using a messaging queue, the development team in space A could create a new instance of a messaging queue service, bind it to their application, and share that service instance into space B. A developer in space B could then bind their application to the same service instance, and the two applications could begin publishing and receiving messages from one another.
Service instances can be shared into multiple spaces, across orgs.
Developers and administrators can share service instances between spaces in which they have the SpaceDeveloper role.
Developers who have a service instance shared with them can only bind and unbind to that service instance. They cannot update, rename, or delete it.
To enable service instance sharing, an administrator must enable the
$ cf enable-feature-flag service_instance_sharing
You can share a service instance in one space to another if you have the SpaceDeveloper role in both spaces.
To share a service instance to another space, run the following experimental cf CLI command:
$ cf v3-share-service SERVICE_INSTANCE -s OTHER_SPACE [-o OTHER_ORG]
You cannot share a service instance into a space where a service instance with the same name already exists.
To share a service instance into a space, the space must have access to the service and service plan of the service instance that you are sharing (use
If you no longer have access to a service or service plan used to create a service instance, you can no longer share that service instance.
WARNING: Unsharing a service instance
automatically deletes any bindings to applications in the spaces it was shared into.
This could cause applications to fail. Before unsharing a service instance,
cf service SERVICE_INSTANCE to see
how many bindings exist in the spaces the service instance is shared into.
You can unshare a service instance if you have the SpaceDeveloper role in the space where the original service was shared from.
You cannot delete or rename a service instance until it is unshared from all spaces.
To unshare a service instance, run the following experimental cf CLI command:
$ cf v3-unshare-service SERVICE_INSTANCE -s OTHER_SPACE [-o OTHER_ORG] [-f]
-f flag forces an unshare without confirmation.
Service keys cannot be created from a space that a service instance has been shared into. This ensures that developers in the space where a service instance has been shared from have visibility into where, and how many times, the service instance is being used.
Sharing service instances does not automatically update application security groups. The network policies defined in the ASGs may need to be updated in order to ensure that applications using shared service instances can access the underlying service.
Access to a service must be enabled via
cf enable-service-accessin order for a service instance to be shared into a space.
Not all services are enable for sharing instances functionality. Contact the service vendor directly if you are unable to share instances of their service. If you are a service author, see Enabling Service Instance Sharing.
To disable service instance sharing, an administrator runs the following:
$ cf disable-feature-flag service_instance_sharing
This will only prevent new shares from being created. To remove existing shares, see Deleting All Shares.
The script below finds all service instances that are shared, and for each space that the service instance is shared into, all service bindings to that service instance are deleted, and all shares are deleted.
If a service binding is not successfully deleted, the script continues trying to unshare subsequent service instances. To use this script, you must:
- Be logged in as an administrator
- Have jq installed
Note: This script has been tested in macOS Sierra 10.12.4 and Ubuntu 14.04.5. Use the script at your own risk.
Create a pull request or raise an issue on the source for this page in GitHub
#!/usr/bin/env bash set -u set -e # refresh auth token cf oauth-token >/dev/null for instance_guid in $(cf curl /v3/service_instances | jq -r '.resources.guid'); do for space_guid in $(cf curl /v2/service_instances/$instance_guid/shared_to | jq -r '.resources.space_guid'); do echo "Unsharing service instance $instance_guid from space $space_guid" set +e cf curl -X DELETE "/v3/service_instances/$instance_guid/relationships/shared_spaces/$space_guid" set -e done done