docs: add missing screenshots for cloud-metadata and iam-role-assume pages

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: cyberchen98

cloud/iam-role-assume.mdx

@@ -144,6 +144,16 @@ After creating the sink or source, run a quick sanity check:
 | `AccessDenied` on S3 operations after assuming | The attached S3 policy is missing required actions | Add the missing S3 actions (see Step 1) |
 | `InvalidClientTokenId` | Incorrect IAM role ARN in the trust policy | Use the IAM role ARN from Cloud metadata |
 
+## Managing allowed principals in RisingWave Cloud
+
+To view and manage the IAM role ARNs that are authorized to access your project's resources via IAM Assume Role, go to your project in the [RisingWave Cloud Console](https://cloud.risingwave.com), click **Connection** in the left sidebar, and select the **Allowed Principals** tab.
+
+<Frame>
+<img src="/images/cloud/iam-role-assume/connection-allowed-principals.png" alt="Allowed Principals tab in the Connection page of the RisingWave Cloud Console"/>
+</Frame>
+
+Click **+ Add Principal** to add an IAM Role ARN that is allowed to access this project's resources.
+
 ## Related pages
 
 - [Cloud metadata](/cloud/cloud-metadata) — retrieve the IAM role ARN for your project