diff --git a/.changelog/16065.txt b/.changelog/16065.txt
new file mode 100644
index 00000000000..ee28e1dda73
--- /dev/null
+++ b/.changelog/16065.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+iambeta: fixed a permadiff that could occur in the `jwks_json` field for `google_iam_workload_identity_pool_provider` resource
+```
\ No newline at end of file
diff --git a/google/services/iambeta/resource_iam_workload_identity_pool_provider.go b/google/services/iambeta/resource_iam_workload_identity_pool_provider.go
index 943320387c9..fe3d397fe1c 100644
--- a/google/services/iambeta/resource_iam_workload_identity_pool_provider.go
+++ b/google/services/iambeta/resource_iam_workload_identity_pool_provider.go
@@ -82,6 +82,24 @@ func ValidateWorkloadIdentityPoolProviderId(v interface{}, k string) (ws []strin
 	return
 }
 
+func jwksJsonDiffSuppress(k, old, new string, d *schema.ResourceData) bool {
+	if old == "" || new == "" {
+		return old == new
+	}
+
+	var oldJson, newJson interface{}
+
+	if err := json.Unmarshal([]byte(old), &oldJson); err != nil {
+		return false
+	}
+
+	if err := json.Unmarshal([]byte(new), &newJson); err != nil {
+		return false
+	}
+
+	return reflect.DeepEqual(oldJson, newJson)
+}
+
 var (
 	_ = bytes.Clone
 	_ = context.WithCancel
@@ -305,9 +323,9 @@ https://iam.googleapis.com/projects/<project-number>/locations/<location>/worklo
 							},
 						},
 						"jwks_json": {
-							Type:      schema.TypeString,
-							Optional:  true,
-							StateFunc: func(v interface{}) string { s, _ := structure.NormalizeJsonString(v); return s },
+							Type:             schema.TypeString,
+							Optional:         true,
+							DiffSuppressFunc: jwksJsonDiffSuppress,
 							Description: `OIDC JWKs in JSON String format. For details on definition of a
 JWK, see https:tools.ietf.org/html/rfc7517. If not set, then we
 use the 'jwks_uri' from the discovery document fetched from the