diff --git a/docs/resources/iam_service.md b/docs/resources/iam_service.md
index a1469b5c..18fbd794 100644
--- a/docs/resources/iam_service.md
+++ b/docs/resources/iam_service.md
@@ -28,6 +28,42 @@ resource "hsdp_iam_service" "testservice" {
 }
 ```
 
+The followin example creates a service with an external managed certificate
+
+```hcl
+resource "tls_private_key" "testservice" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "tls_self_signed_cert" "testservice" {
+  private_key_pem = tls_private_key.testservice.private_key_pem
+
+  subject {
+    common_name  = "testservice." # Should match `service.name` + "." (dot)
+  }
+
+  validity_period_hours = 24
+
+  allowed_uses = [  ]
+}
+
+resource "hsdp_iam_service" "testservice" {
+  name                = "testservice"
+  description         = "Test service"
+  application_id      = var.app_id
+
+  validity            = 12   # Months
+  
+  token_validity      = 3600 # Seconds
+
+  scopes              = ["openid"]
+  default_scopes      = ["openid"]
+  
+  self_managed_certificate = tls_self_signed_cert.testservice.cert_pem
+}
+```
+
 ## Argument Reference
 
 The following arguments are supported:
@@ -42,6 +78,8 @@ The following arguments are supported:
 * `self_managed_private_key` - (Optional)  RSA private key in PEM format. When provided, overrides the generated certificate / private key combination of the
   IAM service. This gives you full control over the credentials. When not specified, a private key will be generated by IAM
 * `self_managed_expires_on` - (Optional) Sets the certificate validity. When not specified, the certificate will have a validity of 5 years.
+* `self_managed_certificate` - (Optional) X509 Certificate in PEM format. When provided, overrides the generated certificate / private key combination of the IAM service.
+  This gives you full control over the credentials. When not specified, a private key will be generated by IAM. Mutually exclusive with `self_managed_private_key`
 
 ## Attributes Reference