diff --git a/.changelog/4500.txt b/.changelog/4500.txt
new file mode 100644
index 0000000000..060aea39b1
--- /dev/null
+++ b/.changelog/4500.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/cloudflare_zero_trust_access_identity_provider: Fix `client_secret` attribute always causing update, even when not changed
+```
diff --git a/internal/sdkv2provider/resource_cloudflare_access_identity_provider.go b/internal/sdkv2provider/resource_cloudflare_access_identity_provider.go
index 28d2f10d70..37d59aed2c 100644
--- a/internal/sdkv2provider/resource_cloudflare_access_identity_provider.go
+++ b/internal/sdkv2provider/resource_cloudflare_access_identity_provider.go
@@ -76,7 +76,7 @@ func resourceCloudflareAccessIdentityProviderRead(ctx context.Context, d *schema
 	d.Set("name", accessIdentityProvider.Name)
 	d.Set("type", accessIdentityProvider.Type)
 
-	config := convertAccessIDPConfigStructToSchema(accessIdentityProvider.Config)
+	config := convertAccessIDPConfigStructToSchema(d.Get("config.0.client_secret").(string), accessIdentityProvider.Config)
 	if configErr := d.Set("config", config); configErr != nil {
 		return diag.FromErr(fmt.Errorf("error setting Access Identity Provider configuration: %w", configErr))
 	}
@@ -285,7 +285,7 @@ func convertScimConfigSchemaToStruct(d *schema.ResourceData) cloudflare.AccessId
 	return ScimConfig
 }
 
-func convertAccessIDPConfigStructToSchema(options cloudflare.AccessIdentityProviderConfiguration) []interface{} {
+func convertAccessIDPConfigStructToSchema(clientSecret string, options cloudflare.AccessIdentityProviderConfiguration) []interface{} {
 	attributes := make([]string, 0)
 	for _, value := range options.Attributes {
 		attributes = append(attributes, value)
@@ -301,7 +301,7 @@ func convertAccessIDPConfigStructToSchema(options cloudflare.AccessIdentityProvi
 		"centrify_app_id":            options.CentrifyAppID,
 		"certs_url":                  options.CertsURL,
 		"client_id":                  options.ClientID,
-		"client_secret":              options.ClientSecret,
+		"client_secret":              clientSecret,
 		"claims":                     options.Claims,
 		"scopes":                     options.Scopes,
 		"directory_id":               options.DirectoryID,
diff --git a/internal/sdkv2provider/schema_cloudflare_access_identity_provider.go b/internal/sdkv2provider/schema_cloudflare_access_identity_provider.go
index 3e27237425..15c1ab9c5a 100644
--- a/internal/sdkv2provider/schema_cloudflare_access_identity_provider.go
+++ b/internal/sdkv2provider/schema_cloudflare_access_identity_provider.go
@@ -85,12 +85,6 @@ func resourceCloudflareAccessIdentityProviderSchema() map[string]*schema.Schema
 					"client_secret": {
 						Type:     schema.TypeString,
 						Optional: true,
-						// client_secret is a write only operation from the Cloudflare API
-						// and once it's set, it is no longer accessible. To avoid storing
-						// it and messing up the state, hardcode in the concealed version.
-						StateFunc: func(val interface{}) string {
-							return CONCEALED_STRING
-						},
 					},
 					"claims": {
 						Type:     schema.TypeList,