rancher · matttrach · May 12, 2026 · Apr 22, 2026 · Apr 23, 2026 · May 5, 2026
diff --git a/docs/data-sources/global_role_binding.md b/docs/data-sources/global_role_binding.md
@@ -25,5 +25,6 @@ data "rancher2_global_role_binding" "foo" {
 * `id` - (Computed) The ID of the resource (string)
 * `group_principal_id` - (Computed) The group principal ID to assign global role binding. Rancher v2.4.0 or higher is required (string)
 * `user_id` - (Computed) The user ID to assign global role binding (string)
+* `user_principal_id` - (Computed) The user principal ID to assign global role binding (string)
 * `annotations` - (Computed) Annotations of the resource (map)
 * `labels` - (Computed) Labels of the resource (map)
diff --git a/docs/resources/global_role_binding.md b/docs/resources/global_role_binding.md
@@ -15,10 +15,16 @@ resource "rancher2_global_role_binding" "foo" {
   global_role_id = "admin"
   user_id = "user-XXXXX"
 }
-# Create a new rancher2 Global Role Binding using group_principal_id
+# Create a new rancher2 Global Role Binding using user_principal_id
 resource "rancher2_global_role_binding" "foo2" {
   name = "foo2"
   global_role_id = "admin"
+  user_principal_id = "local://user-XXXXX"
+}
+# Create a new rancher2 Global Role Binding using group_principal_id
+resource "rancher2_global_role_binding" "foo3" {
+  name = "foo3"
+  global_role_id = "admin"
   group_principal_id = "local://g-XXXXX"
 }
 ```
@@ -30,11 +36,12 @@ The following arguments are supported:
 * `global_role_id` - (Required/ForceNew) The role id from create global role binding (string)
 * `group_principal_id` - (Optional/Computed/ForceNew) The group principal ID to assign global role binding (only works with external auth providers that support groups). Rancher v2.4.0 or higher is required (string)
 * `user_id` - (Optional/Computed/ForceNew) The user ID to assign global role binding (string)
+* `user_principal_id` - (Optional/Computed/ForceNew) The user principal ID to assign global role binding (string)
 * `name` - (Optional/Computed/ForceNew) The name of the global role binding (string)
 * `annotations` - (Optional/Computed) Annotations for global role binding (map)
 * `labels` - (Optional/Computed) Labels for global role binding (map)
 
-**Note:** user `user_id` OR group `group_principal_id` must be defined
+**Note:** user `user_id` or `user_principal_id` OR group `group_principal_id` must be defined
 
 ## Attributes Reference
 

diff --git a/rancher2/data_source_rancher2_global_role_binding.go b/rancher2/data_source_rancher2_global_role_binding.go
@@ -24,6 +24,10 @@ func dataSourceRancher2GlobalRoleBinding() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"user_principal_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"group_principal_id": {
 				Type:     schema.TypeString,
 				Computed: true,

diff --git a/rancher2/schema_global_role_binding.go b/rancher2/schema_global_role_binding.go
@@ -4,7 +4,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 )
 
-// Shemas
+// Schemas
 
 func globalRoleBindingFields() map[string]*schema.Schema {
 	s := map[string]*schema.Schema{
@@ -19,6 +19,12 @@ func globalRoleBindingFields() map[string]*schema.Schema {
 			Computed: true,
 			ForceNew: true,
 		},
+		"user_principal_id": {
+			Type:     schema.TypeString,
+			Optional: true,
+			Computed: true,
+			ForceNew: true,
+		},
 		"name": {
 			Type:     schema.TypeString,
 			Optional: true,

diff --git a/rancher2/structure_global_role_binding.go b/rancher2/structure_global_role_binding.go
@@ -15,6 +15,7 @@ func flattenGlobalRoleBinding(d *schema.ResourceData, in *managementClient.Globa
 	d.SetId(in.ID)
 	d.Set("global_role_id", in.GlobalRoleID)
 	d.Set("user_id", in.UserID)
+	d.Set("user_principal_id", in.UserPrincipalID)
 	d.Set("name", in.Name)
 
 	if len(in.GroupPrincipalID) > 0 {
@@ -49,6 +50,7 @@ func expandGlobalRoleBinding(in *schema.ResourceData) *managementClient.GlobalRo
 
 	obj.GlobalRoleID = in.Get("global_role_id").(string)
 	obj.UserID = in.Get("user_id").(string)
+	obj.UserPrincipalID = in.Get("user_principal_id").(string)
 	obj.Name = in.Get("name").(string)
 
 	if v, ok := in.Get("group_principal_id").(string); ok && len(v) > 0 {

diff --git a/rancher2/structure_global_role_binding_test.go b/rancher2/structure_global_role_binding_test.go
@@ -16,16 +16,18 @@ var (
 
 func init() {
 	testGlobalRoleBindingConf = &managementClient.GlobalRoleBinding{
-		GlobalRoleID:     "global_role_id",
-		GroupPrincipalID: "group_principal_id",
-		UserID:           "user-test",
-		Name:             "test",
+		GlobalRoleID:      "global_role_id",
+		GroupPrincipalID:  "group_principal_id",
+		UserPrincipalID:   "user_principal_id",
+		UserID:            "user-test",
+		Name:              "test",
 	}
 	testGlobalRoleBindingInterface = map[string]interface{}{
-		"global_role_id":     "global_role_id",
-		"group_principal_id": "group_principal_id",
-		"user_id":            "user-test",
-		"name":               "test",
+		"global_role_id":      "global_role_id",
+		"group_principal_id":  "group_principal_id",
+		"user_principal_id":   "user_principal_id",
+		"user_id":             "user-test",
+		"name":                "test",
 	}
 }