Sharing Service Instances (Beta)
WARNING: Service instance sharing is a beta feature and may be removed at any time without notice. Use at your own risk.
Sharing a service instance between spaces allows apps in different
spaces to share databases, messaging queues and many other types of services.
This eliminates the need for development teams to use service keys and
user-provided services to bind their apps to the same service instance that was
provisioned using the
cf create-service command. Sharing service instances
improves security, auditing, and provides a more intuitive user experience.
For example, if two development teams have applications in their own spaces, and both of those applications want to send messages to each other using a messaging queue, the development team in space A could create a new instance of a messaging queue service, bind it to their application, and share that service instance into space B. A developer in space B could then bind their application to the same service instance, and the two applications could begin publishing and receiving messages from one another.
Service instances can be shared into multiple spaces, across orgs.
Developers and administrators can share service instances between spaces in which they have the SpaceDeveloper role.
Developers who have a service instance shared with them can only bind and unbind to that service instance. They cannot update, rename, or delete it.
Developers who have a service instance shared with them will be able to see the values of any configuration parameters that were used to configure the service instance when it was provisioned or updated.
To enable service instance sharing, an administrator must enable the
$ cf enable-feature-flag service_instance_sharing
You can share a service instance in one space to another if you have the SpaceDeveloper role in both spaces.
To share a service instance to another space, run the following beta Cloud Foundry Command Line Interface (cf CLI) command:
$ cf v3-share-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG]
You cannot share a service instance into a space where a service instance with the same name already exists.
To share a service instance into a space, the space must have access to the service and service plan of the service instance that you are sharing. Run
cf enable-service-accessto set this access.
If you no longer have access to a service or service plan used to create a service instance, you can no longer share that service instance.
WARNING: Unsharing a service instance
automatically deletes any bindings to applications in the spaces it was shared
This could cause applications to fail. Before unsharing a service instance,
cf service SERVICE-INSTANCE to see how many bindings exist in
the spaces the service instance is shared into.
You can unshare a service instance if you have the SpaceDeveloper role in the space where the original service was shared from.
You cannot delete or rename a service instance until it is unshared from all spaces.
To unshare a service instance, run the following beta cf CLI command:
$ cf v3-unshare-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG] [-f]
-f flag forces an unshare without confirmation.
Service keys cannot be created from a space that a service instance has been shared into.
This ensures that developers in the space where a service instance has been shared from have visibility into where, and how many times, the service instance is used.
Sharing service instances does not automatically update application security groups (ASGs). The network policies defined in the ASGs may need to be updated to ensure that applications using shared service instances can access the underlying service.
Access to a service must be enabled using the
cf enable-service-accesscommand for a service instance to be shared into a space.
Not all services are enable for sharing instances functionality. Contact the service vendor directly if you are unable to share instances of their service. If you are a service author, see Enabling Service Instance Sharing.
To disable service instance sharing, an administrator runs the following:
$ cf disable-feature-flag service_instance_sharing
This only prevents new shares from being created. To remove existing shares, see Deleting All Shares.
The script below finds all service instances that are shared, and for each space that the service instance is shared into, all service bindings to that service instance are deleted, and all shares are deleted.
If a service binding is not successfully deleted, the script continues trying to unshare subsequent service instances.
To use this script, you must be logged in as an administrator and have jq installed.
Note: This script has been tested in macOS Sierra 10.12.4 and Ubuntu 14.04.5. Use the script at your own risk.
Create a pull request or raise an issue on the source for this page in GitHub
#!/usr/bin/env bash set -u set -e # refresh auth token cf oauth-token >/dev/null for instance_guid in $(cf curl /v3/service_instances | jq -r '.resources.guid'); do for space_guid in $(cf curl /v2/service_instances/$instance_guid/shared_to | jq -r '.resources.space_guid'); do echo "Unsharing service instance $instance_guid from space $space_guid" set +e cf curl -X DELETE "/v3/service_instances/$instance_guid/relationships/shared_spaces/$space_guid" set -e done done