diff --git a/huaweicloud/resource_huaweicloud_cce_cluster_v3.go b/huaweicloud/resource_huaweicloud_cce_cluster_v3.go
index cc26f7b7a2..bd0a79af15 100644
--- a/huaweicloud/resource_huaweicloud_cce_cluster_v3.go
+++ b/huaweicloud/resource_huaweicloud_cce_cluster_v3.go
@@ -114,6 +114,11 @@ func resourceCCEClusterV3() *schema.Resource {
 				ForceNew: true,
 				Default:  "x509",
 			},
+			"authenticating_proxy_ca": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: true,
+			},
 			"multi_az": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -209,6 +214,10 @@ func resourceCCEClusterV3Create(d *schema.ResourceData, meta interface{}) error
 		return fmt.Errorf("Unable to create HuaweiCloud CCE client : %s", err)
 	}
 
+	authenticating_proxy := make(map[string]string)
+	if hasFilledOpt(d, "authenticating_proxy_ca") {
+		authenticating_proxy["ca"] = d.Get("authenticating_proxy_ca").(string)
+	}
 	createOpts := clusters.CreateOpts{
 		Kind:       "Cluster",
 		ApiVersion: "v3",
@@ -226,7 +235,7 @@ func resourceCCEClusterV3Create(d *schema.ResourceData, meta interface{}) error
 			ContainerNetwork: clusters.ContainerNetworkSpec{Mode: d.Get("container_network_type").(string),
 				Cidr: d.Get("container_network_cidr").(string)},
 			Authentication: clusters.AuthenticationSpec{Mode: d.Get("authentication_mode").(string),
-				AuthenticatingProxy: make(map[string]string)},
+				AuthenticatingProxy: authenticating_proxy},
 			BillingMode: d.Get("billing_mode").(int),
 			ExtendParam: resourceClusterExtendParamV3(d),
 		},
diff --git a/website/docs/r/cce_cluster_v3.html.md b/website/docs/r/cce_cluster_v3.html.md
index 5c8190be11..eb0f451257 100644
--- a/website/docs/r/cce_cluster_v3.html.md
+++ b/website/docs/r/cce_cluster_v3.html.md
@@ -82,6 +82,9 @@ The following arguments are supported:
 * `authentication_mode` - (Optional) Authentication mode of the cluster, possible values are x509 and rbac. Defaults to x509.
     Changing this parameter will create a new cluster resource.
 
+* `authenticating_proxy_ca` - (Optional) CA root certificate provided in the authenticating_proxy mode. The CA root certificate
+	is encoded to the Base64 format. Changing this parameter will create a new cluster resource.
+
 * `multi_az` - (Optional) Enable multiple AZs for the cluster, only when using HA flavors. Changing this parameter will create a new cluster resource.
 
 * `eip` - (Optional) EIP address of the cluster. Changing this parameter will create a new cluster resource.