diff --git a/provider/provider_yaml_test.go b/provider/provider_yaml_test.go
index 8687792241..0a1a250214 100644
--- a/provider/provider_yaml_test.go
+++ b/provider/provider_yaml_test.go
@@ -957,3 +957,12 @@ func TestFirestoreBackupScheduleNoPermadiff(t *testing.T) {
 	pt.Up()
 	pt.Preview(optpreview.ExpectNoChanges())
 }
+
+func TestPAMEntitlementPermadiffRegress2167(t *testing.T) {
+	pt := pulumiTest(t, "test-programs/pam-entitlement", opttest.DownloadProviderVersion("random", "4.16.3"))
+
+	proj := getProject()
+	pt.SetConfig("gcpProj", proj)
+	pt.Up()
+	pt.Preview(optpreview.ExpectNoChanges())
+}
diff --git a/provider/resources.go b/provider/resources.go
index 9de8b020e1..ce175e3a92 100644
--- a/provider/resources.go
+++ b/provider/resources.go
@@ -465,7 +465,8 @@ func Provider() tfbridge.ProviderInfo {
 				case "google_datastream_connection_profile",
 					"google_firestore_backup_schedule",
 					"google_cloud_run_service",
-					"google_cloud_run_domain_mapping":
+					"google_cloud_run_domain_mapping",
+					"google_privileged_access_manager_entitlement":
 					return true
 				default:
 					return false
diff --git a/provider/test-programs/pam-entitlement/.gitignore b/provider/test-programs/pam-entitlement/.gitignore
new file mode 100644
index 0000000000..c6958891dd
--- /dev/null
+++ b/provider/test-programs/pam-entitlement/.gitignore
@@ -0,0 +1,2 @@
+/bin/
+/node_modules/
diff --git a/provider/test-programs/pam-entitlement/Pulumi.yaml b/provider/test-programs/pam-entitlement/Pulumi.yaml
new file mode 100644
index 0000000000..5d50d98b37
--- /dev/null
+++ b/provider/test-programs/pam-entitlement/Pulumi.yaml
@@ -0,0 +1,31 @@
+name: gcp_2167
+runtime:
+  name: yaml
+config:
+  gcpProj: string
+resources:
+  entitlementId:
+    type: random:index/randomString:RandomString
+    properties:
+      length: 10
+      special: false
+      upper: false
+      number: true
+
+  entitlement:
+    type: gcp:privilegedaccessmanager:entitlement
+    properties:
+      parent: "projects/${gcpProj}"
+      entitlementId: "${entitlementId.result}"
+      location: "global"
+      eligibleUsers:
+        - principals: ["domain:pulumi.com"]
+      maxRequestDuration: "7200s"
+      requesterJustificationConfig:
+        unstructured: {}
+      privilegedAccess:
+        gcpIamAccess:
+          resource: "//cloudresourcemanager.googleapis.com/projects/${gcpProj}"
+          resourceType: "cloudresourcemanager.googleapis.com/Project"
+          roleBindings:
+            - role: "roles/storage.admin"
\ No newline at end of file