// Module included in the following assemblies:
//
// * rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc


:_mod-docs-content-type: PROCEDURE
[id="rosa-additional-principals-create_{context}"]
= Adding additional principals while creating your {product-title} cluster

Use the `--additional-allowed-principals` argument to permit access through other roles.

.Procedure

. Add the `--additional-allowed-principals` argument to the `rosa create cluster` command, similar to the following:
+
[source,terminal]
----
$ rosa create cluster [...] --additional-allowed-principals <arn_string>
----
+
You can use `arn:aws:iam::account_id:role/role_name` to approve a specific role.

. When the cluster creation command runs, you receive a summary of your cluster with the `--additional-allowed-principals` specified:
+
.Example output
+
[source,terminal]
----
Name:                       mycluster
Domain Prefix:              mycluster
Display Name:               mycluster
ID:                         <cluster-id>
External ID:                <cluster-id>
Control Plane:              ROSA Service Hosted
OpenShift Version:          4.15.17
Channel Group:              stable
DNS:                        Not ready
AWS Account:                <aws_id>
AWS Billing Account:        <aws_id>
API URL:
Console URL:
Region:                     us-east-2
Availability:
 - Control Plane:           MultiAZ
 - Data Plane:              SingleAZ

Nodes:
 - Compute (desired):       2
 - Compute (current):       0
Network:
 - Type:                    OVNKubernetes
 - Service CIDR:            172.30.0.0/16
 - Machine CIDR:            10.0.0.0/16
 - Pod CIDR:                10.128.0.0/14
 - Host Prefix:             /23
 - Subnets:                 subnet-453e99d40, subnet-666847ce827
EC2 Metadata Http Tokens:   optional
Role (STS) ARN:             arn:aws:iam::<aws_id>:role/mycluster-HCP-ROSA-Installer-Role
Support Role ARN:           arn:aws:iam::<aws_id>:role/mycluster-HCP-ROSA-Support-Role
Instance IAM Roles:
 - Worker:                  arn:aws:iam::<aws_id>:role/mycluster-HCP-ROSA-Worker-Role
Operator IAM Roles:
 - arn:aws:iam::<aws_id>:role/mycluster-kube-system-control-plane-operator
 - arn:aws:iam::<aws_id>:role/mycluster-openshift-cloud-network-config-controller-cloud-creden
 - arn:aws:iam::<aws_id>:role/mycluster-openshift-image-registry-installer-cloud-credentials
 - arn:aws:iam::<aws_id>:role/mycluster-openshift-ingress-operator-cloud-credentials
 - arn:aws:iam::<aws_id>:role/mycluster-openshift-cluster-csi-drivers-ebs-cloud-credentials
 - arn:aws:iam::<aws_id>:role/mycluster-kube-system-kms-provider
 - arn:aws:iam::<aws_id>:role/mycluster-kube-system-kube-controller-manager
 - arn:aws:iam::<aws_id>:role/mycluster-kube-system-capa-controller-manager
Managed Policies:           Yes
State:                      waiting (Waiting for user action)
Private:                    No
Delete Protection:          Disabled
Created:                    Jun 25 2024 13:36:37 UTC
User Workload Monitoring:   Enabled
Details Page:               https://console.redhat.com/openshift/details/s/Bvbok4O79q1Vg8
OIDC Endpoint URL:          https://oidc.op1.openshiftapps.com/vhufi5lap6vbl3jlq20e (Managed)
Audit Log Forwarding:       Disabled
External Authentication:    Disabled
Additional Principals:      arn:aws:iam::<aws_id>:role/additional-user-role
----