Add service credential rotation feature doc

jochenehret · jochenehret · commit 72695630e0b6 · 2026-03-18T15:22:49.000+01:00
diff --git a/services/application-binding.html.md.erb b/services/application-binding.html.md.erb
@@ -255,7 +255,9 @@ To update your service credentials:
 
 ### <a id='update-credentials-without-downtime'></a>Without downtime
 
-To update your service credentials without experiencing app downtime:
+To update your service credentials without experiencing app downtime you can either employ a blue-green update scheme or use the new service credential binding rotation feature.
+
+#### <a id='blue-green-update'></a>Blue-green update
 
   1. Start a blue-green update of the app. For more information, see [Using blue-green deployment to reduce downtime and risk](../deploy-apps/blue-green.html). Push the "Green" version of the app with the `--no-start` parameter to prevent the app from starting right away:
 
@@ -281,6 +283,35 @@ To update your service credentials without experiencing app downtime:
     $ cf unbind-service YOUR-APP YOUR-SERVICE-INSTANCE
     </pre>
 
+#### <a id='service-credential-binding-rotation'></a>Service credential binding rotation
+
+The service credential binding rotation feature allows you to rotate credentials for a service instance without unbinding and rebinding the service instance. This feature requires the following prerequisites:
+
+- The Cloud Foundry platform must support at least 2 bindings per service instance. This is configured by the platform operator with the `cc.max_service_credential_bindings_per_app_service_instance` property in the Cloud Controller configuration.
+- The service broker must support multiple bindings for the service offering.
+- You must use at least CF CLI v8.18.0.
+
+To rotate credentials for an already bound service instance with no downtime:
+
+  1. Create an additional service binding to your service instance by running:
+
+    <pre class="terminal">
+    $ cf bind-service YOUR-APP YOUR-SERVICE-INSTANCE --strategy multiple
+    </pre>
+
+  1. Trigger a rolling update of your application. The updated application instances will only see the new credentials:
+
+    <pre class="terminal">
+    $ cf restage YOUR-APP --strategy rolling
+    </pre>
+
+  1. Once the update has been completed, you can delete the old service bindings with the `cleanup-outdated-service-bindings` command. It only keeps the newest binding and deletes the old bindings:
+
+    <pre class="terminal">
+    $ cf cleanup-outdated-service-bindings YOUR-APP
+    </pre>
+
+
 ## <a id='unbind'></a>Unbind a service instance
 
 Unbinding a service removes the credentials created for your app from the [VCAP_SERVICES](../deploy-apps/environment-variable.html) environment variable.
@@ -293,3 +324,6 @@ OK
 
 <p class="note important">
 You must restart or in some cases re-push your app for changes to be applied to the <a href="../deploy-apps/environment-variable.html">VCAP_SERVICES</a> environment variable and for the app to recognize these changes.</p>
+
+<p class="note important">
+If there are multiple service bindings as described in [Service credential binding rotation](#service-credential-binding-rotation), make sure to use CF CLI v8.18.0 or later to unbind all service bindings.</p>
