Sharing Service Instances
This topic explains how to use service instance sharing.
Sharing a service instance between spaces allows apps in different
spaces to share databases, messaging queues, and other types of services.
This eliminates the need for development teams to use service keys and
user-provided services to bind their apps to the same service instance that was
provisioned using the
cf create-service command.
Sharing service instances improves security, auditing, and provides a more intuitive user experience.
Service instances can be shared into multiple spaces and across orgs.
Developers and administrators can share service instances between spaces in which they have the Space Developer role.
Developers who have a service instance shared with them can only bind and unbind apps to that service instance. They cannot update, rename, or delete it.
Developers who have a service instance shared with them can view the values of any configuration parameters that were used to provision or update the service instance.
For example, if two development teams have apps in their own spaces, and both of those apps want to send messages to each other using a messaging queue, you can do the following:
The development team in space A can create a new instance of a messaging queue service, bind it to their app, and share that service instance into space B.
A developer in space B can then bind their app to the same service instance, and the two apps can begin publishing and receiving messages from one another.
To enable service instance sharing, the platform operator must enable the
service_instance_sharing flag in Cloud Foundry.
$ cf enable-feature-flag service_instance_sharing
You can share a service instance from one space to another if you have the Space Developer role in both spaces.
To share a service instance to another space, run the following Cloud Foundry Command Line Interface (cf CLI) command:
$ cf share-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG]
You cannot share a service instance into a space where a service instance with the same name already exists.
To share a service instance into a space, the space must have access to the service and service plan of the service instance that you are sharing. Run the
cf enable-service-accesscommand to set this access.
If you no longer have access to the service or service plan used to create your service instance, you cannot share that service instance.
WARNING: Unsharing a service instance
automatically deletes all bindings to apps in the spaces it was shared into.
This may cause apps to fail. Before unsharing a service instance,
cf service SERVICE-INSTANCE command to see how many bindings exist in the spaces the service instance is shared into.
You can unshare a service instance if you have the Space Developer role in the space where this service instance was shared from.
Developers cannot delete or rename a service instance until it is unshared from all spaces.
To unshare a service instance, run the following cf CLI command:
$ cf unshare-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG] [-f]
-f flag forces unsharing without confirmation.
Service keys cannot be created from a space that a service instance has been shared into.
This ensures that developers in the space where a service instance has been shared from have visibility into where and how many times the service instance is used.
Sharing service instances does not automatically update app security groups (ASGs). The network policies defined in your ASGs may need to be updated to ensure that apps using shared service instances can access the underlying service.
Access to a service must be enabled using the
cf enable-service-accesscommand for a service instance to be shared into a space.
Not all services are enabled for sharing instances functionality. Contact the service vendor directly if you are unable to share instances of their service. If you are a service author, see Enabling Service Instance Sharing.
To disable service instance sharing, run the following command:
$ cf disable-feature-flag service_instance_sharing
This only prevents new shares from being created. To remove existing shares, see Deleting All Shares.
The script below finds all service instances that are shared, and for each space that the service instance is shared into, all service bindings to that service instance are deleted, and all shares are deleted.
If a service binding is not successfully deleted, the script continues trying to unshare subsequent service instances.
To use this script, you must be logged in as an administrator and have jq installed.
Note: This script has been tested on macOS Sierra 10.12.4 and Ubuntu 14.04.5. Use the script at your own risk.
#!/usr/bin/env bash set -u set -e # refresh auth token cf oauth-token >/dev/null for instance_guid in $(cf curl /v3/service_instances | jq -r '.resources.guid'); do for space_guid in $(cf curl /v2/service_instances/$instance_guid/shared_to | jq -r '.resources.space_guid'); do echo "Unsharing service instance $instance_guid from space $space_guid" set +e cf curl -X DELETE "/v3/service_instances/$instance_guid/relationships/shared_spaces/$space_guid" set -e done done