diff --git a/README.md b/README.md
index 414af63ea8..3979c05b66 100644
--- a/README.md
+++ b/README.md
@@ -205,3 +205,12 @@ $ make testacc
 Thanks
 ---------------------------
 We'd like to thank [Akshay Karle](https://github.com/akshaykarle) for writing the first version of a Terraform Provider for MongoDB Atlas and paving the way for the creation of this one.
+
+# Running the integration tests
+
+The integration tests helps the validation for resources interacting with third party providers (aws, azure or gcp) using terratest [environment setup details](integration-testing/README.md)
+
+```
+  cd integration-testing
+  go test -tags=integration
+```
diff --git a/examples/atlas-cloud-provider-access/aws/aws-roles.tf b/examples/atlas-cloud-provider-access/aws/aws-roles.tf
new file mode 100644
index 0000000000..6ed5b48b23
--- /dev/null
+++ b/examples/atlas-cloud-provider-access/aws/aws-roles.tf
@@ -0,0 +1,41 @@
+resource "aws_iam_role_policy" "test_policy" {
+  name = "mongo_setup_policy"
+  role = aws_iam_role.test_role.id
+
+  policy = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+		"Action": "*",
+		"Resource": "*"
+      }
+    ]
+  }
+  EOF
+}
+
+resource "aws_iam_role" "test_role" {
+  name = "mongo_setup_test_role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws.atlas_aws_account_arn}"
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": "${mongodbatlas_cloud_provider_access_setup.setup_only.aws.atlas_assumed_role_external_id}"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
diff --git a/examples/atlas-cloud-provider-access/aws/main.tf b/examples/atlas-cloud-provider-access/aws/main.tf
new file mode 100644
index 0000000000..08789b657c
--- /dev/null
+++ b/examples/atlas-cloud-provider-access/aws/main.tf
@@ -0,0 +1,13 @@
+resource "mongodbatlas_cloud_provider_access_setup" "setup_only" {
+   project_id = var.project_id
+   provider_name = var.cloud_provider_access_name
+}
+
+resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
+   project_id = var.project_id
+   role_id =  mongodbatlas_cloud_provider_access_setup.setup_only.role_id
+
+   aws = {
+      iam_assumed_role_arn = aws_iam_role.test_role.arn
+   }
+}
diff --git a/examples/atlas-cloud-provider-access/aws/providers.tf b/examples/atlas-cloud-provider-access/aws/providers.tf
new file mode 100644
index 0000000000..e075e34d7e
--- /dev/null
+++ b/examples/atlas-cloud-provider-access/aws/providers.tf
@@ -0,0 +1,9 @@
+provider "mongodbatlas" {
+  public_key  = var.public_key
+  private_key = var.private_key
+}
+provider "aws" {
+  access_key = var.access_key
+  secret_key = var.secret_key
+  region     = var.aws_region
+}
diff --git a/examples/atlas-cloud-provider-access/aws/variables.tf b/examples/atlas-cloud-provider-access/aws/variables.tf
new file mode 100644
index 0000000000..2ad464a594
--- /dev/null
+++ b/examples/atlas-cloud-provider-access/aws/variables.tf
@@ -0,0 +1,25 @@
+// mongo 
+variable project_id {
+    type = string
+}
+variable cloud_provider_access_name {
+    type = string
+    default = "AWS"
+}
+variable public_key {
+    type = string
+}
+variable private_key {
+    type = string
+}
+
+// aws
+variable access_key {
+    type = string
+}
+variable secret_key {
+    type = string
+}
+variable aws_region {
+    type = string
+}
\ No newline at end of file
diff --git a/examples/atlas-cloud-provider-access/aws/versions.tf b/examples/atlas-cloud-provider-access/aws/versions.tf
new file mode 100644
index 0000000000..92fca3b63d
--- /dev/null
+++ b/examples/atlas-cloud-provider-access/aws/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    mongodbatlas = {
+      source = "mongodb/mongodbatlas"
+    }
+  }
+  required_version = ">= 0.13"
+}
\ No newline at end of file
diff --git a/integration-testing/README.md b/integration-testing/README.md
new file mode 100644
index 0000000000..fc4d895598
--- /dev/null
+++ b/integration-testing/README.md
@@ -0,0 +1,21 @@
+### Integration tests
+
+Integration tests required extra credentials, such as for aws and azure,
+in order to execute the complete terraform cycle (init, apply, destroy)
+
+For all the testing it needs the common environment variables 
+```
+    MONGODB_ATLAS_PROJECT_ID
+    MONGODB_ATLAS_PUBLIC_KEY
+    MONGODB_ATLAS_PRIVATE_KEY
+```
+
+For specific aws related interactions 
+```
+    AWS_ACCESS_KEY_ID
+    AWS_SECRET_ACCESS_KEY
+    AWS_REGION
+
+    AWS_CUSTOMER_MASTER_KEY_ID (only required for encryption at rest with customer managed key)
+
+```
diff --git a/integration-testing/common.go b/integration-testing/common.go
new file mode 100644
index 0000000000..64706c648c
--- /dev/null
+++ b/integration-testing/common.go
@@ -0,0 +1,33 @@
+package integration_testing
+
+import "os"
+
+type MongoDBCredentials struct {
+	ProjectID  string
+	PublicKey  string
+	PrivateKey string
+}
+
+type AWSCredentials struct {
+	AccessKey         string
+	SecretKey         string
+	CustomerMasterKey string
+	AwsRegion         string
+}
+
+func GetCredentialsFromEnv() MongoDBCredentials {
+	return MongoDBCredentials{
+		ProjectID:  os.Getenv("MONGODB_ATLAS_PROJECT_ID"),
+		PublicKey:  os.Getenv("MONGODB_ATLAS_PUBLIC_KEY"),
+		PrivateKey: os.Getenv("MONGODB_ATLAS_PRIVATE_KEY"),
+	}
+}
+
+func GetAWSCredentialsFromEnv() AWSCredentials {
+	return AWSCredentials{
+		AccessKey:         os.Getenv("AWS_ACCESS_KEY_ID"),
+		SecretKey:         os.Getenv("AWS_SECRET_ACCESS_KEY"),
+		CustomerMasterKey: os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID"),
+		AwsRegion:         os.Getenv("AWS_REGION"),
+	}
+}
diff --git a/integration-testing/resource_mongodbatlas_cloud_provider_access_test.go b/integration-testing/resource_mongodbatlas_cloud_provider_access_test.go
new file mode 100644
index 0000000000..baee7c5a8f
--- /dev/null
+++ b/integration-testing/resource_mongodbatlas_cloud_provider_access_test.go
@@ -0,0 +1,44 @@
+// +build integration
+
+package integration_testing
+
+import (
+	"os"
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/terraform"
+)
+
+const (
+	defaultTerratestFilesCPA = "../examples/atlas-cloud-provider-access/aws/"
+)
+
+func TestTerraformResourceMongoDBAtlasCloudProviderAccess_basicAWS(t *testing.T) {
+	t.Parallel()
+
+	mongoSecrets := GetCredentialsFromEnv()
+	awsSecrets := GetAWSCredentialsFromEnv()
+
+	testFiles := os.Getenv("TERRATEST_CLOUD_PROVIDER_ACCESS_AWS")
+	if testFiles == "" {
+		testFiles = defaultTerratestFilesCPA
+	}
+
+	terraformOptions := &terraform.Options{
+		TerraformDir: testFiles,
+		Vars: map[string]interface{}{
+			"project_id":                 mongoSecrets.ProjectID,
+			"cloud_provider_access_name": "AWS",
+			"public_key":                 mongoSecrets.PublicKey,
+			"private_key":                mongoSecrets.PrivateKey,
+			"access_key":                 awsSecrets.AccessKey,
+			"secret_key":                 awsSecrets.SecretKey,
+			"aws_region":                 awsSecrets.AwsRegion,
+		},
+	}
+
+	terraformTest := terraform.WithDefaultRetryableErrors(t, terraformOptions)
+
+	defer terraform.Destroy(t, terraformTest)
+	terraform.InitAndApply(t, terraformTest)
+}
diff --git a/integration-testing/resource_mongodbatlas_encryption_at_rest_test.go b/integration-testing/resource_mongodbatlas_encryption_at_rest_test.go
index 3bffd5a90d..689489392e 100644
--- a/integration-testing/resource_mongodbatlas_encryption_at_rest_test.go
+++ b/integration-testing/resource_mongodbatlas_encryption_at_rest_test.go
@@ -1,45 +1,33 @@
+// +build integration
+
 package integration_testing
 
 import (
 	"fmt"
-	"os"
-	"strings"
 	"testing"
 
 	"github.com/gruntwork-io/terratest/modules/terraform"
 )
 
-func SkipTestExtCred(t *testing.T) {
-	if strings.EqualFold(os.Getenv("SKIP_TEST_EXTERNAL_CREDENTIALS"), "true") {
-		t.SkipNow()
-	}
-}
 func TestTerraformResourceMongoDBAtlasEncryptionAtRestWithRole_basicAWS(t *testing.T) {
-	SkipTestExtCred(t)
 	t.Parallel()
 
-	var (
-		projectID   = os.Getenv("MONGODB_ATLAS_PROJECT_ID")
-		accessKey   = os.Getenv("AWS_ACCESS_KEY_ID")
-		secretKey   = os.Getenv("AWS_SECRET_ACCESS_KEY")
-		customerKey = os.Getenv("AWS_CUSTOMER_MASTER_KEY_ID")
-		awsRegion   = os.Getenv("AWS_REGION")
-		publicKey   = os.Getenv("MONGODB_ATLAS_PUBLIC_KEY")
-		privateKey  = os.Getenv("MONGODB_ATLAS_PRIVATE_KEY")
-	)
+	mongoSecrets := GetCredentialsFromEnv()
+	awsSecrets := GetAWSCredentialsFromEnv()
+
 	// Construct the terraform options with default retryable errors to handle the most common
 	// retryable errors in terraform testing.
 	terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
 		// The path to where our Terraform code is located
 		TerraformDir: "../examples/atlas-encryptionAtRest-roles",
 		Vars: map[string]interface{}{
-			"access_key":          accessKey,
-			"secret_key":          secretKey,
-			"customer_master_key": customerKey,
-			"atlas_region":        awsRegion,
-			"project_id":          projectID,
-			"public_key":          publicKey,
-			"private_key":         privateKey,
+			"access_key":          awsSecrets.AccessKey,
+			"secret_key":          awsSecrets.SecretKey,
+			"customer_master_key": awsSecrets.CustomerMasterKey,
+			"atlas_region":        awsSecrets.AwsRegion,
+			"project_id":          mongoSecrets.ProjectID,
+			"public_key":          mongoSecrets.PublicKey,
+			"private_key":         mongoSecrets.PrivateKey,
 		},
 	})
 
@@ -53,20 +41,20 @@ func TestTerraformResourceMongoDBAtlasEncryptionAtRestWithRole_basicAWS(t *testi
 	awsRoleARN := terraform.Output(t, terraformOptions, "aws_iam_role_arn")
 	cpaRoleID := terraform.Output(t, terraformOptions, "cpa_role_id")
 
-	fmt.Println(fmt.Sprintf("awsRoleARN : %s", awsRoleARN))
-	fmt.Println(fmt.Sprintf("cpaRoleID : %s", cpaRoleID))
+	fmt.Printf("awsRoleARN : %s", awsRoleARN)
+	fmt.Printf("cpaRoleID : %s", cpaRoleID)
 
 	terraformOptionsUpdated := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
 		// The path to where our Terraform code is located
 		TerraformDir: "../examples/atlas-encryptionAtRest-roles",
 		Vars: map[string]interface{}{
-			"access_key":          accessKey,
-			"secret_key":          secretKey,
-			"customer_master_key": customerKey,
-			"atlas_region":        awsRegion,
-			"project_id":          projectID,
-			"public_key":          publicKey,
-			"private_key":         privateKey,
+			"access_key":          awsSecrets.AccessKey,
+			"secret_key":          awsSecrets.SecretKey,
+			"customer_master_key": awsSecrets.CustomerMasterKey,
+			"atlas_region":        awsSecrets.AwsRegion,
+			"project_id":          mongoSecrets.ProjectID,
+			"public_key":          mongoSecrets.PublicKey,
+			"private_key":         mongoSecrets.PrivateKey,
 			"aws_iam_role_arn":    awsRoleARN,
 		},
 	})
@@ -77,11 +65,11 @@ func TestTerraformResourceMongoDBAtlasEncryptionAtRestWithRole_basicAWS(t *testi
 		// The path to where our Terraform code is located
 		TerraformDir: "../examples/atlas-encryptionAtRest-roles/second_step",
 		Vars: map[string]interface{}{
-			"customer_master_key": customerKey,
-			"atlas_region":        awsRegion,
-			"project_id":          projectID,
-			"public_key":          publicKey,
-			"private_key":         privateKey,
+			"customer_master_key": awsSecrets.CustomerMasterKey,
+			"atlas_region":        awsSecrets.AwsRegion,
+			"project_id":          mongoSecrets.ProjectID,
+			"public_key":          mongoSecrets.PublicKey,
+			"private_key":         mongoSecrets.PrivateKey,
 			"cpa_role_id":         cpaRoleID,
 		},
 	})
diff --git a/mongodbatlas/data_source_mongodbatlas_cloud_provider_access_setup.go b/mongodbatlas/data_source_mongodbatlas_cloud_provider_access_setup.go
new file mode 100644
index 0000000000..cdd0ec7db7
--- /dev/null
+++ b/mongodbatlas/data_source_mongodbatlas_cloud_provider_access_setup.go
@@ -0,0 +1,98 @@
+package mongodbatlas
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
+	matlas "go.mongodb.org/atlas/mongodbatlas"
+)
+
+func dataSourceMongoDBAtlasCloudProviderAccessSetup() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceMongoDBAtlasCloudProviderAccessSetupRead,
+		Schema: map[string]*schema.Schema{
+			"project_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"provider_name": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validation.StringInSlice([]string{"AWS"}, false),
+			},
+			"role_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"aws": {
+				Type:     schema.TypeMap,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"atlas_aws_account_arn": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"atlas_assumed_role_external_id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
+			"created_date": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func dataSourceMongoDBAtlasCloudProviderAccessSetupRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*matlas.Client)
+	projectID := d.Get("project_id").(string)
+	providerName := d.Get("provider_name").(string)
+	roleID := d.Get("role_id").(string)
+
+	roles, _, err := conn.CloudProviderAccess.ListRoles(context.Background(), projectID)
+
+	if err != nil {
+		return fmt.Errorf(errorGetRead, err)
+	}
+
+	// aws specific
+	if providerName == "AWS" {
+		var targetRole matlas.AWSIAMRole
+		// searching in roles
+		for i := range roles.AWSIAMRoles {
+			role := &(roles.AWSIAMRoles[i])
+			if role.RoleID == roleID && role.ProviderName == providerName {
+				targetRole = *role
+			}
+		}
+		// Not Found
+		if targetRole.RoleID == "" && !d.IsNewResource() {
+			d.SetId("")
+			return nil
+		}
+
+		roleSchema := roleToSchemaSetup(&targetRole)
+
+		for key, val := range roleSchema {
+			if err := d.Set(key, val); err != nil {
+				return fmt.Errorf(errorGetRead, err)
+			}
+		}
+	} else {
+		// planning for the future multiple providers
+		return fmt.Errorf(errorGetRead,
+			fmt.Sprintf("unsupported provider type %s", providerName))
+	}
+
+	d.SetId(resource.UniqueId())
+
+	return nil
+}
diff --git a/mongodbatlas/data_source_mongodbatlas_cloud_provider_access_setup_test.go b/mongodbatlas/data_source_mongodbatlas_cloud_provider_access_setup_test.go
new file mode 100644
index 0000000000..f6cb740567
--- /dev/null
+++ b/mongodbatlas/data_source_mongodbatlas_cloud_provider_access_setup_test.go
@@ -0,0 +1,58 @@
+package mongodbatlas
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+)
+
+// covers both resource creation and datasource creation for setup
+
+const (
+	dataSourceCPASProviderConfig = `
+	resource "mongodbatlas_cloud_provider_access_setup" "%[1]s" {
+		project_id = "%[2]s"
+		provider_name = "%[3]s"
+	 }
+	 
+	 data "mongodbatlas_cloud_provider_access_setup" "%[4]s" {
+		project_id = mongodbatlas_cloud_provider_access_setup.%[1]s.project_id
+		provider_name = "%[3]s"
+		role_id =  mongodbatlas_cloud_provider_access_setup.%[1]s.role_id
+	 }
+	 `
+)
+
+func TestAccdataSourceMongoDBAtlasCloudProviderAccessSetup_aws_basic(t *testing.T) {
+	var (
+		suffix     = acctest.RandStringFromCharSet(10, acctest.CharSetAlpha)
+		name       = "cpas" + suffix
+		dataSCName = "ds_cpas" + suffix
+		projectID  = os.Getenv("MONGODB_ATLAS_PROJECT_ID")
+
+		// resources fqdn name
+		resourceName = "mongodbatlas_cloud_provider_access_setup." + name
+		dsName       = "data.mongodbatlas_cloud_provider_access_setup." + dataSCName
+	)
+
+	config := fmt.Sprintf(dataSourceCPASProviderConfig, name, projectID, "AWS", dataSCName)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(resourceName, "created_date"),
+					resource.TestCheckResourceAttrSet(resourceName, "role_id"),
+					resource.TestCheckResourceAttr(dsName, "project_id", projectID),
+					resource.TestCheckResourceAttrSet(dsName, "aws.atlas_assumed_role_external_id"),
+				),
+			},
+		},
+	})
+}
diff --git a/mongodbatlas/provider.go b/mongodbatlas/provider.go
index b2bf7c2a6c..6747f70f8e 100644
--- a/mongodbatlas/provider.go
+++ b/mongodbatlas/provider.go
@@ -66,6 +66,7 @@ func Provider() terraform.ResourceProvider {
 			"mongodbatlas_third_party_integration":               dataSourceMongoDBAtlasThirdPartyIntegration(),
 			"mongodbatlas_project_ip_access_list":                dataSourceMongoDBAtlasProjectIPAccessList(),
 			"mongodbatlas_cloud_provider_access":                 dataSourceMongoDBAtlasCloudProviderAccessList(),
+			"mongodbatlas_cloud_provider_access_setup":           dataSourceMongoDBAtlasCloudProviderAccessSetup(),
 			"mongodbatlas_custom_dns_configuration_cluster_aws":  dataSourceMongoDBAtlasCustomDNSConfigurationAWS(),
 			"mongodbatlas_ldap_configuration":                    dataSourceMongoDBAtlasLDAPConfiguration(),
 			"mongodbatlas_ldap_verify":                           dataSourceMongoDBAtlasLDAPVerify(),
@@ -101,6 +102,8 @@ func Provider() terraform.ResourceProvider {
 			"mongodbatlas_custom_dns_configuration_cluster_aws":  resourceMongoDBAtlasCustomDNSConfiguration(),
 			"mongodbatlas_ldap_configuration":                    resourceMongoDBAtlasLDAPConfiguration(),
 			"mongodbatlas_ldap_verify":                           resourceMongoDBAtlasLDAPVerify(),
+			"mongodbatlas_cloud_provider_access_setup":           resourceMongoDBAtlasCloudProviderAccessSetup(),
+			"mongodbatlas_cloud_provider_access_authorization":   resourceMongoDBAtlasCloudProviderAccessAuthorization(),
 		},
 
 		ConfigureFunc: providerConfigure,
diff --git a/mongodbatlas/resource_mongodbatlas_cloud_provider_access_authorization.go b/mongodbatlas/resource_mongodbatlas_cloud_provider_access_authorization.go
new file mode 100644
index 0000000000..982a40ddcc
--- /dev/null
+++ b/mongodbatlas/resource_mongodbatlas_cloud_provider_access_authorization.go
@@ -0,0 +1,271 @@
+package mongodbatlas
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	matlas "go.mongodb.org/atlas/mongodbatlas"
+)
+
+/*
+	A cloud provider access authorization
+*/
+
+func resourceMongoDBAtlasCloudProviderAccessAuthorization() *schema.Resource {
+	return &schema.Resource{
+		Read:   resourceMongoDBAtlasCloudProviderAccessAuthorizationRead,
+		Create: resourceMongoDBAtlasCloudProviderAccessAuthorizationCreate,
+		Update: resourceMongoDBAtlasCloudProviderAccessAuthorizationUpdate,
+		Delete: resourceMongoDBAtlasCloudProviderAccessAuthorizationPlaceHolder,
+
+		Schema: map[string]*schema.Schema{
+			"project_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"role_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"aws": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"iam_assumed_role_arn": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+					},
+				},
+			},
+			"feature_usages": {
+				Type:     schema.TypeList,
+				Elem:     featureUsagesSchema(),
+				Computed: true,
+			},
+			"authorized_date": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceMongoDBAtlasCloudProviderAccessAuthorizationRead(d *schema.ResourceData, meta interface{}) error {
+	// sadly there is no just get API
+	conn := meta.(*matlas.Client)
+	ids := decodeStateID(d.Id())
+
+	roleID := ids["id"] // atlas ID
+	projectID := ids["project_id"]
+
+	targetRole, err := FindRole(conn, projectID, roleID)
+
+	if err != nil {
+		return err
+	}
+
+	if targetRole == nil {
+		return fmt.Errorf(errorGetRead, "cloud provider access role not found in mongodbatlas, please create it first")
+	}
+
+	roleSchema := roleToSchemaAuthorization(targetRole)
+
+	for key, val := range roleSchema {
+		if err := d.Set(key, val); err != nil {
+			return fmt.Errorf(errorGetRead, err)
+		}
+	}
+
+	// If not authorize , then request the authorization
+	if targetRole.AuthorizedDate == "" && !d.IsNewResource() {
+		d.SetId("")
+		return nil
+	}
+
+	return nil
+}
+
+func resourceMongoDBAtlasCloudProviderAccessAuthorizationCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*matlas.Client)
+
+	projectID := d.Get("project_id").(string)
+	roleID := d.Get("role_id").(string)
+
+	// validation
+	targetRole, err := FindRole(conn, projectID, roleID)
+
+	if err != nil {
+		return err
+	}
+
+	if targetRole == nil {
+		return fmt.Errorf(errorGetRead, "cloud provider access role not found in mongodbatlas, please create it first")
+	}
+
+	// once multiple providers added, modify this section
+	roleAWS, ok := d.GetOk("aws")
+
+	if !ok {
+		return fmt.Errorf("error CloudProviderAccessAuthorization missing iam_assumed_role_arn")
+	}
+
+	iamRole := (roleAWS.(map[string]interface{}))["iam_assumed_role_arn"]
+
+	req := &matlas.CloudProviderAuthorizationRequest{
+		ProviderName:      targetRole.ProviderName,
+		IAMAssumedRoleARN: iamRole.(string),
+	}
+
+	var role *matlas.AWSIAMRole
+
+	// aws takes time to update , in case of single path
+	for i := 0; i < 3; i++ {
+		role, _, err = conn.CloudProviderAccess.AuthorizeRole(context.Background(), projectID, roleID, req)
+		if err != nil && strings.Contains(err.Error(), "CANNOT_ASSUME_ROLE") {
+			log.Printf("warning issue performing authorize: %s \n", err.Error())
+			log.Println("retrying ")
+			time.Sleep(10 * time.Second)
+			continue
+		}
+		break
+	}
+
+	if err != nil {
+		return fmt.Errorf("error cloud provider access authorization %s", err)
+	}
+
+	authSchema := roleToSchemaAuthorization(role)
+
+	// role id
+	d.SetId(encodeStateID(map[string]string{
+		"id":         role.RoleID,
+		"project_id": projectID,
+	}))
+
+	for key, val := range authSchema {
+		if err := d.Set(key, val); err != nil {
+			return fmt.Errorf(errorCloudProviderAccessCreate, err)
+		}
+	}
+
+	return nil
+}
+
+func resourceMongoDBAtlasCloudProviderAccessAuthorizationUpdate(d *schema.ResourceData, meta interface{}) error {
+	// sadly there is no just get API
+	conn := meta.(*matlas.Client)
+	ids := decodeStateID(d.Id())
+
+	roleID := ids["id"] // atlas ID
+	projectID := ids["project_id"]
+
+	targetRole, err := FindRole(conn, projectID, roleID)
+
+	if err != nil {
+		return err
+	}
+
+	if targetRole == nil {
+		return fmt.Errorf(errorGetRead, "cloud provider access role not found in mongodbatlas, please create it first")
+	}
+
+	if d.HasChange("aws") {
+		roleAWS, ok := d.GetOk("aws")
+
+		if !ok {
+			return fmt.Errorf("error CloudProviderAccessAuthorization missing iam_assumed_role_arn")
+		}
+
+		iamRole := (roleAWS.(map[string]interface{}))["iam_assumed_role_arn"]
+
+		req := &matlas.CloudProviderAuthorizationRequest{
+			ProviderName:      targetRole.ProviderName,
+			IAMAssumedRoleARN: iamRole.(string),
+		}
+
+		var role *matlas.AWSIAMRole
+
+		// aws takes time to update , in case of single path
+		for i := 0; i < 3; i++ {
+			role, _, err = conn.CloudProviderAccess.AuthorizeRole(context.Background(), projectID, roleID, req)
+			if err != nil && strings.Contains(err.Error(), "CANNOT_ASSUME_ROLE") {
+				log.Printf("warning issue performing authorize: %s \n", err.Error())
+				log.Println("retrying ")
+				time.Sleep(10 * time.Second)
+				continue
+			}
+			break
+		}
+
+		if err != nil {
+			return fmt.Errorf("error cloud provider access authorization update %s", err)
+		}
+
+		authSchema := roleToSchemaAuthorization(role)
+
+		// role id
+		d.SetId(encodeStateID(map[string]string{
+			"id":         role.RoleID,
+			"project_id": projectID,
+		}))
+
+		for key, val := range authSchema {
+			if err := d.Set(key, val); err != nil {
+				return fmt.Errorf(errorCloudProviderAccessCreate, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+func resourceMongoDBAtlasCloudProviderAccessAuthorizationPlaceHolder(d *schema.ResourceData, meta interface{}) error {
+	return nil
+}
+
+func roleToSchemaAuthorization(role *matlas.AWSIAMRole) map[string]interface{} {
+	out := map[string]interface{}{
+		"role_id": role.RoleID,
+		"aws": map[string]interface{}{
+			"iam_assumed_role_arn": role.IAMAssumedRoleARN,
+		},
+		"authorized_date": role.AuthorizedDate,
+	}
+
+	// features
+	features := make([]map[string]interface{}, 0, len(role.FeatureUsages))
+
+	for _, featureUsage := range role.FeatureUsages {
+		features = append(features, featureToSchema(featureUsage))
+	}
+
+	out["feature_usages"] = features
+
+	return out
+}
+
+func FindRole(conn *matlas.Client, projectID, roleID string) (targetRole *matlas.AWSIAMRole, err error) {
+	roles, _, err := conn.CloudProviderAccess.ListRoles(context.Background(), projectID)
+
+	if err != nil {
+		return nil, fmt.Errorf(errorGetRead, err)
+	}
+
+	sort.Slice(roles.AWSIAMRoles,
+		func(i, j int) bool { return roles.AWSIAMRoles[i].RoleID < roles.AWSIAMRoles[j].RoleID })
+
+	index := sort.Search(len(roles.AWSIAMRoles), func(i int) bool { return roles.AWSIAMRoles[i].RoleID >= roleID })
+
+	if index < len(roles.AWSIAMRoles) && roles.AWSIAMRoles[index].RoleID == roleID {
+		targetRole = &(roles.AWSIAMRoles[index])
+	}
+
+	return
+}
diff --git a/mongodbatlas/resource_mongodbatlas_cloud_provider_access_setup.go b/mongodbatlas/resource_mongodbatlas_cloud_provider_access_setup.go
new file mode 100644
index 0000000000..8cebb967cf
--- /dev/null
+++ b/mongodbatlas/resource_mongodbatlas_cloud_provider_access_setup.go
@@ -0,0 +1,213 @@
+package mongodbatlas
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/validation"
+	matlas "go.mongodb.org/atlas/mongodbatlas"
+)
+
+/*
+	mongodb_atlas_cloud_provider_access_setup
+	-> Creates the the information from the mongodbatlas side
+	-> The delete deletes and deauthorize the role
+*/
+
+func resourceMongoDBAtlasCloudProviderAccessSetup() *schema.Resource {
+	return &schema.Resource{
+		Read:   resourceMongoDBAtlasCloudProviderAccessSetupRead,
+		Create: resourceMongoDBAtlasCloudProviderAccessSetupCreate,
+		Update: resourceMongoDBAtlasCloudProviderAccessAuthorizationPlaceHolder,
+		Delete: resourceMongoDBAtlasCloudProviderAccessSetupDelete,
+		Importer: &schema.ResourceImporter{
+			State: resourceMongoDBAtlasCloudProviderAccessSetupImportState,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"project_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			// Note: when new providers will be added, this will trigger a recreate
+			"provider_name": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ValidateFunc: validation.StringInSlice([]string{"AWS"}, false),
+			},
+			"aws": {
+				Type:     schema.TypeMap,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"atlas_aws_account_arn": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"atlas_assumed_role_external_id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
+			"created_date": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"role_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func resourceMongoDBAtlasCloudProviderAccessSetupRead(d *schema.ResourceData, meta interface{}) error {
+	// sadly there is no just get API
+	conn := meta.(*matlas.Client)
+	ids := decodeStateID(d.Id())
+	projectID := ids["project_id"]
+	providerName := ids["provider_name"]
+
+	roles, _, err := conn.CloudProviderAccess.ListRoles(context.Background(), projectID)
+
+	if err != nil {
+		return fmt.Errorf(errorGetRead, err)
+	}
+
+	// aws specific
+	if providerName == "AWS" {
+		var targetRole matlas.AWSIAMRole
+		// searching in roles
+		for i := range roles.AWSIAMRoles {
+			role := &(roles.AWSIAMRoles[i])
+			if role.RoleID == ids["id"] && role.ProviderName == ids["provider_name"] {
+				targetRole = *role
+			}
+		}
+		// Not Found
+		if targetRole.RoleID == "" && !d.IsNewResource() {
+			d.SetId("")
+			return nil
+		}
+
+		roleSchema := roleToSchemaSetup(&targetRole)
+
+		for key, val := range roleSchema {
+			if err := d.Set(key, val); err != nil {
+				return fmt.Errorf(errorGetRead, err)
+			}
+		}
+	} else {
+		// planning for the future multiple providers
+		return fmt.Errorf(errorGetRead,
+			fmt.Sprintf("unsopported provider type %s", providerName))
+	}
+
+	return nil
+}
+
+func resourceMongoDBAtlasCloudProviderAccessSetupCreate(d *schema.ResourceData, meta interface{}) error {
+	projectID := d.Get("project_id").(string)
+
+	conn := meta.(*matlas.Client)
+
+	requestParameters := &matlas.CloudProviderAccessRoleRequest{
+		ProviderName: d.Get("provider_name").(string),
+	}
+
+	role, _, err := conn.CloudProviderAccess.CreateRole(context.Background(), projectID, requestParameters)
+
+	if err != nil {
+		return fmt.Errorf(errorCloudProviderAccessCreate, err)
+	}
+
+	// once multiple providers enable here do a switch, select for provider type
+	roleSchema := roleToSchemaSetup(role)
+
+	d.SetId(encodeStateID(map[string]string{
+		"id":            role.RoleID,
+		"project_id":    projectID,
+		"provider_name": role.ProviderName,
+	}))
+
+	for key, val := range roleSchema {
+		if err := d.Set(key, val); err != nil {
+			return fmt.Errorf(errorCloudProviderAccessCreate, err)
+		}
+	}
+
+	return nil
+}
+
+func resourceMongoDBAtlasCloudProviderAccessSetupDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*matlas.Client)
+	ids := decodeStateID(d.Id())
+
+	projectID := ids["project_id"]
+	roleID := ids["id"]
+	providerName := ids["provider_name"]
+
+	req := &matlas.CloudProviderDeauthorizationRequest{
+		ProviderName: providerName,
+		RoleID:       roleID,
+		GroupID:      projectID,
+	}
+
+	_, err := conn.CloudProviderAccess.DeauthorizeRole(context.Background(), req)
+
+	if err != nil {
+		return fmt.Errorf(errorCloudProviderAccessDelete, err)
+	}
+
+	return nil
+}
+
+func roleToSchemaSetup(role *matlas.AWSIAMRole) map[string]interface{} {
+	out := map[string]interface{}{
+		"provider_name": role.ProviderName,
+		"aws": map[string]interface{}{
+			"atlas_aws_account_arn":          role.AtlasAWSAccountARN,
+			"atlas_assumed_role_external_id": role.AtlasAssumedRoleExternalID,
+		},
+		"created_date": role.CreatedDate,
+		"role_id":      role.RoleID,
+	}
+
+	return out
+}
+
+func resourceMongoDBAtlasCloudProviderAccessSetupImportState(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
+	projectID, providerName, roleID, err := splitCloudProviderAccessID(d.Id())
+
+	if err != nil {
+		return nil, fmt.Errorf(errorCloudProviderAccessImporter, err)
+	}
+
+	// searching id in internal format
+	d.SetId(encodeStateID(map[string]string{
+		"id":            roleID,
+		"project_id":    projectID,
+		"provider_name": providerName,
+	}))
+
+	err = resourceMongoDBAtlasCloudProviderAccessSetupRead(d, meta)
+
+	if err != nil {
+		return nil, fmt.Errorf(errorCloudProviderAccessImporter, err)
+	}
+
+	// case of not found
+	if d.Id() == "" {
+		return nil, fmt.Errorf(errorCloudProviderAccessImporter, " Resource not found at the cloud please check your id")
+	}
+
+	// params syncing
+	if err = d.Set("project_id", projectID); err != nil {
+		return nil, fmt.Errorf(errorCloudProviderAccessImporter, err)
+	}
+
+	return []*schema.ResourceData{d}, nil
+}
diff --git a/mongodbatlas/resource_mongodbatlas_cloud_provider_access_setup_test.go b/mongodbatlas/resource_mongodbatlas_cloud_provider_access_setup_test.go
new file mode 100644
index 0000000000..161859349b
--- /dev/null
+++ b/mongodbatlas/resource_mongodbatlas_cloud_provider_access_setup_test.go
@@ -0,0 +1,83 @@
+package mongodbatlas
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	matlas "go.mongodb.org/atlas/mongodbatlas"
+)
+
+const (
+	createProviderAccessSetupRole = `
+	resource "mongodbatlas_cloud_provider_access_setup" "%[1]s" {
+		project_id = "%[2]s"
+		provider_name = "%[3]s"
+	 }
+
+	`
+)
+
+func TestAccResourceMongoDBAtlasCloudProviderAccessSetup_basic(t *testing.T) {
+	var (
+		name         = "test_basic" + acctest.RandStringFromCharSet(10, acctest.CharSetAlpha)
+		resourceName = "mongodbatlas_cloud_provider_access_setup." + name
+		projectID    = os.Getenv("MONGODB_ATLAS_PROJECT_ID")
+		targetRole   = matlas.AWSIAMRole{}
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		// same as regular cloud provider access resource
+		CheckDestroy: testAccCheckMongoDBAtlasProviderAccessDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(createProviderAccessSetupRole, name, projectID, "AWS"),
+				Check: resource.ComposeTestCheckFunc(
+					// same as regular cloud resource
+					testAccCheckMongoDBAtlasProviderAccessExists(resourceName, &targetRole),
+					resource.TestCheckResourceAttrSet(resourceName, "aws.atlas_assumed_role_external_id"),
+					resource.TestCheckResourceAttrSet(resourceName, "aws.atlas_aws_account_arn"),
+				),
+			},
+		},
+	},
+	)
+}
+
+func TestAccResourceMongoDBAtlasCloudProviderAccessSetup_importBasic(t *testing.T) {
+	var (
+		name         = "test_basic" + acctest.RandStringFromCharSet(10, acctest.CharSetAlpha)
+		resourceName = "mongodbatlas_cloud_provider_access_setup." + name
+		projectID    = os.Getenv("MONGODB_ATLAS_PROJECT_ID")
+		targetRole   = matlas.AWSIAMRole{}
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckMongoDBAtlasProviderAccessDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(createProviderAccessSetupRole, name, projectID, "AWS"),
+				Check: resource.ComposeTestCheckFunc(
+					// same as regular cloud provider because we are just checking in the api
+					testAccCheckMongoDBAtlasProviderAccessExists(resourceName, &targetRole),
+					resource.TestCheckResourceAttrSet(resourceName, "aws.atlas_assumed_role_external_id"),
+					resource.TestCheckResourceAttrSet(resourceName, "aws.atlas_aws_account_arn"),
+				),
+			},
+			{
+				ResourceName: resourceName,
+				// ID remains the same project-id, provider-name and id for consistency
+				ImportStateIdFunc: testAccCheckMongoDBAtlasCloudProviderAccessImportStateIDFunc(resourceName),
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	},
+	)
+}
diff --git a/website/docs/d/cloud_provider_access.markdown b/website/docs/d/cloud_provider_access.markdown
index 6625691dba..61c5fd1206 100644
--- a/website/docs/d/cloud_provider_access.markdown
+++ b/website/docs/d/cloud_provider_access.markdown
@@ -13,7 +13,7 @@ description: |-
 -> **NOTE:** Groups and projects are synonymous terms. You may find `groupId` in the official documentation.
 
 ## Example Usage
-```
+```hcl
 resource "mongodbatlas_cloud_provider_access" "test_role" {
    project_id = "<PROJECT-ID>"
    provider_name = "AWS"
diff --git a/website/docs/d/cloud_provider_access_setup.markdown b/website/docs/d/cloud_provider_access_setup.markdown
new file mode 100644
index 0000000000..5b96e868b9
--- /dev/null
+++ b/website/docs/d/cloud_provider_access_setup.markdown
@@ -0,0 +1,45 @@
+---
+layout: "mongodbatlas"
+page_title: "MongoDB Atlas: mongodbatlas_cloud_provider_access_setup"
+sidebar_current: "docs-mongodbatlas-datasource-cloud-provider-access-setup"
+description: |-
+    Allows you to get the a single role for cloud provider access setup 
+---
+
+# mongodbatlas_cloud_provider_access
+
+`mongodbatlas_cloud_provider_access` allows you to get a single role for a provider access role setup, currently only AWS is supported.
+
+-> **NOTE:** Groups and projects are synonymous terms. You may find `groupId` in the official documentation.
+
+## Example Usage
+```hcl
+resource "mongodbatlas_cloud_provider_access_setup" "test_role" {
+   project_id = "<PROJECT-ID>"
+   provider_name = "AWS"
+}
+
+data "mongodbatlas_cloud_provider_access_setup" "single_setup" {
+   project_id = mongodbatlas_cloud_provider_access_setup.test_role.project_id
+   provider_name = mongodbatlas_cloud_provider_access_setup.test_role.provider_name
+   role_id = mongodbatlas_cloud_provider_access_setup.test_role.role_id
+}
+```
+
+## Argument Reference
+
+* `project_id` - (Required) The unique ID for the project to get all Cloud Provider Access 
+* `provider_name` - (Required) cloud provider name, currently only AWS is supported
+* `role_id` - (Required) unique role id among all the aws roles provided by mongodb atlas 
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id`              - Autogenerated Unique ID for this data source.
+* `aws`           - aws related role information
+    * `atlas_assumed_role_external_id` - Unique external ID Atlas uses when assuming the IAM role in your AWS account.
+    * `atlas_aws_account_arn`          - ARN associated with the Atlas AWS account used to assume IAM roles in your AWS account.
+* `created_date`  - Date on which this role was created.
+
+See [MongoDB Atlas API](https://docs.atlas.mongodb.com/reference/api/cloud-provider-access-get-roles/) Documentation for more information.
\ No newline at end of file
diff --git a/website/docs/r/cloud_provider_access.markdown b/website/docs/r/cloud_provider_access.markdown
index 89eea9e5e6..083365d301 100644
--- a/website/docs/r/cloud_provider_access.markdown
+++ b/website/docs/r/cloud_provider_access.markdown
@@ -6,9 +6,18 @@ description: |-
     Provides a Cloud Provider Access settings resource for registration, authorization, and deauthorization
 ---
 
-# mongodbatlas_cloud_provider_access
+# Cloud Provider Access Configuration Paths
 
-`mongodbatlas_cloud_provider_access` Allows you to register and authorize AWS IAM roles in Atlas.
+The MongoDB Atlas provider offers two paths to perform an authorization for a cloud provider role.
+
+* A single resource path using the `mongodbatlas_cloud_provider_access` that at provision time sets up all the required configuration for a given provider, then with a subsequent update it can perform the authorize of the role.
+
+* A two resource path, consisting of `mongodbatlas_cloud_provider_access_setup` and `mongodbatlas_cloud_provider_access_authorization`. The first resource, `mongodbatlas_cloud_provider_access_setup`, only generates
+the initial configuration (create, delete operations). The second resource, `mongodbatlas_cloud_provider_access_authorization`, helps to perform the authorization using the role_id of the first resource. This path is helpful in a multi-provider Terraform file, and allows a single and decoupled apply.
+
+## mongodbatlas_cloud_provider_access
+
+`mongodbatlas_cloud_provider_access` Allows you to register and authorize AWS IAM roles in Atlas. This is the resource to use for the single resource path described above.
 
 -> **NOTE:** Groups and projects are synonymous terms. You may find `groupId` in the official documentation.
 
@@ -27,7 +36,7 @@ resource "mongodbatlas_cloud_provider_access" "test_role" {
 
 ## Argument Reference
 
-* `project_id` - (Required) The unique ID for the project to get all Cloud Provider Access 
+* `project_id` - (Required) The unique ID for the project
 * `provider_name` - (Required) The cloud provider for which to create a new role. Currently only AWS is supported.
 * `iam_assumed_role_arn` - (Optional) - ARN of the IAM Role that Atlas assumes when accessing resources in your AWS account. This value is required after the creation (register of the role) as part of [Set Up Unified AWS Access](https://docs.atlas.mongodb.com/security/set-up-unified-aws-access/#set-up-unified-aws-access).
 
@@ -52,7 +61,7 @@ Once the resource is created add the field `iam_assumed_role_arn` see [Set Up Un
 resource "mongodbatlas_cloud_provider_access" "test_role" {
    project_id = "<PROJECT-ID>"
    provider_name = "AWS"
-   iam_assumed_role_arn = "arn:aws:iam::520983883852:role/mongodb_ec2_s3"
+   iam_assumed_role_arn = "arn:aws:iam::772401394250:role/test-user-role"
 }
 
 ```
@@ -65,4 +74,89 @@ The Cloud Provider Access resource can be imported using project ID and the prov
 $ terraform import mongodbatlas_cloud_provider_access.my_role 1112222b3bf99403840e8934-AWS-5fc17d476f7a33224f5b224e
 ```
 
-See [MongoDB Atlas API](https://docs.atlas.mongodb.com/reference/api/cloud-provider-access-create-one-role/) Documentation for more information.
\ No newline at end of file
+## mongodbatlas_cloud_provider_access (optional)
+
+This is the first resource in the two-resource path as described above.
+
+`mongodbatlas_cloud_provider_access_setup` Allows you to only register AWS IAM roles in Atlas.
+
+-> **NOTE:** Groups and projects are synonymous terms. You may find `groupId` in the official documentation.
+
+## Example Usage
+
+```hcl
+
+resource "mongodbatlas_cloud_provider_access_setup" "test_role" {
+   project_id = "<PROJECT-ID>"
+   provider_name = "AWS"
+}
+
+```
+
+## Argument Reference
+
+* `project_id` - (Required) The unique ID for the project
+* `provider_name` - (Required) The cloud provider for which to create a new role. Currently only AWS is supported.
+
+
+## Attributes Reference
+
+* `id` - Unique identifier used by terraform for internal management.
+* `aws` - aws related arn roles 
+   * `atlas_assumed_role_external_id` - Unique external ID Atlas uses when assuming the IAM role in your AWS account.
+   * `atlas_aws_account_arn`          - ARN associated with the Atlas AWS account used to assume IAM roles in your AWS account.
+* `created_date`                   - Date on which this role was created.
+* `role_id`                        - Unique ID of this role.
+
+## Import: mongodbatlas_cloud_provider_access_setup
+For consistency is has the same format as the regular mongodbatlas_cloud_provider_access resource 
+can be imported using project ID and the provider name and mongodbatlas role id, in the format 
+`project_id`-`provider_name`-`role_id`, e.g.
+
+```
+$ terraform import mongodbatlas_cloud_provider_access_setup.my_role 1112222b3bf99403840e8934-AWS-5fc17d476f7a33224f5b224e
+```
+
+## mongodbatlas_cloud_provider_authorization (optional)
+
+This is the second resource in the two-resource path as described above.
+`mongodbatlas_cloud_provider_access_authorization`  Allows you to authorize an AWS IAM roles in Atlas.
+
+## Example Usage
+```hcl
+
+resource "mongodbatlas_cloud_provider_access_setup" "setup_only" {
+   project_id = "<PROJECT-ID>"
+   provider_name = "AWS"
+}
+
+
+resource "mongodbatlas_cloud_provider_access_authorization" "auth_role" {
+   project_id =  mongodbatlas_cloud_provider_access_setup.setup_only.project_id
+   role_id    =  mongodbatlas_cloud_provider_access_setup.setup_only.role_id
+
+   aws = {
+      iam_assumed_role_arn = "arn:aws:iam::772401394250:role/test-user-role"
+   }
+}
+
+```
+
+## Argument Reference
+
+* `project_id` - (Required) The unique ID for the project
+* `role_id`    - (Required) Unique ID of this role returned by mongodb atlas api
+
+Conditional 
+* `aws`
+   * `iam_assumed_role_arn` - (Required) ARN of the IAM Role that Atlas assumes when accessing resources in your AWS account. This value is required after the creation (register of the role) as part of [Set Up Unified AWS Access](https://docs.atlas.mongodb.com/security/set-up-unified-aws-access/#set-up-unified-aws-access).
+   
+
+## Attributes Reference
+
+* `id`               - Unique identifier used by terraform for internal management.
+* `authorized_date`  - Date on which this role was authorized.
+* `feature_usages`   - Atlas features this AWS IAM role is linked to.
+
+
+See [MongoDB Atlas API](https://docs.atlas.mongodb.com/reference/api/cloud-provider-access-create-one-role/) Documentation for more information.