Lakeformation - aws_lakeformation_lf_tag destroy fails when using s3tablescatalog for created resource

[Rexeh]

Terraform and AWS Provider Version

Terraform v1.12.2
on darwin_arm64
+ provider registry.terraform.io/datadog/datadog v3.79.0
+ provider registry.terraform.io/hashicorp/archive v2.7.1
+ provider registry.terraform.io/hashicorp/aws v6.20.0
+ provider registry.terraform.io/hashicorp/null v3.2.4

Affected Resource(s) or Data Source(s)

aws_lakeformation_lf_tag

Expected Behavior

Following #44890 - Creation now succeeds.

Given LF tags are added to a resource utilising an s3catalog style catalog ID, when destroying the resource it should successfully remove the LF tags.

Actual Behavior

Using Terraform to destroy the object, results in API error

Error: deleting AWS Lake Formation Resource LF Tags (1879246397): removing Lake Formation LF-Tags: operation error LakeFormation: RemoveLFTagsFromResource, https response error StatusCode: 400, RequestID: 0f4f3c74-96ba-4ef2-ae21-38dd151d728f, AccessDeniedException: Insufficient Glue permissions to access database example_db
ERROR | Terraform command failed | /home/gitlab/.tfenv/bin/terraform apply -no-color -var-file=XXX -parallelism=30 -input=false -auto-approve -refresh=true | Error: deleting AWS Lake Formation Resource LF Tags (1879246397): removing Lake Formation LF-Tags: operation error LakeFormation: RemoveLFTagsFromResource, https response error StatusCode: 400, RequestID: 0f4f3c74-96ba-4ef2-ae21-38dd151d728f, AccessDeniedException: Insufficient Glue permissions to access database example_db

Direct call to CLI executes correctly utilising same principal

aws lakeformation remove-lf-tags-from-resource \
--resource '{"Database":{"Name":"example_db", "CatalogId": "111111111111:s3tablescatalog/tablebucketname"}}' \
--lf-tags '[{"TagKey": "product","TagValues": ["example"]}]'

Relevant Error/Panic Output

Error: deleting AWS Lake Formation Resource LF Tags (1879246397): removing Lake Formation LF-Tags: operation error LakeFormation: RemoveLFTagsFromResource, https response error StatusCode: 400, RequestID: b167d1c5-3b49-465b-97b7-58981e27cba1, AccessDeniedException: Insufficient Glue permissions to access database example_db
ERROR | Terraform command failed | /home/gitlab/.tfenv/bin/terraform apply -no-color -var-file=XXXX -parallelism=30 -input=false -auto-approve -refresh=true | Error: deleting AWS Lake Formation Resource LF Tags (1879246397): removing Lake Formation LF-Tags: operation error LakeFormation: RemoveLFTagsFromResource, https response error StatusCode: 400, RequestID: b167d1c5-3b49-465b-97b7-58981e27cba1, AccessDeniedException: Insufficient Glue permissions to access database example_db

I believe this error to be result of some other issue, as CLI calls to the API using same payloads work correctly. Principal being used to execute is identical between CI/Local.

Sample Terraform Configuration

Click to expand configuration

resource "aws_lakeformation_resource_lf_tags" "lf_tag_test" {

  database {
    name = "example_db"
    catalog_id = "111111111111:s3tablescatalog/tablebucketname"
  }

  lf_tag {
    key   = "product"
    value = "example"
  }

  lf_tag {
    key   = "layer"
    value = "raw"
  }
}

Steps to Reproduce

1. Apply LF tag(s) using aws_lakeformation_resource_lf_tags to an S3Catalog resource within lakeformation that has been federated in from s3tables
2. Tags will be correctly associated to resource
3. Cause destroy of resources
4. Destroy will fail

CLI commands for the same, using same request payloads work correctly.

Debug Logging

Click to expand log output

2025-11-07T11:57:15.376Z [DEBUG] provider.terraform-provider-aws_v6.20.0_x5: HTTP Request Sent: http.request.header.amz_sdk_request="attempt=1; max=25" http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.12.2 (+https://www.terraform.io) terraform-provider-aws/6.20.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.39.6 ua/2.1 os/macos lang/go#1.24.8 md/GOOS#darwin md/GOARCH#arm64 api/lakeformation#1.45.9 m/i" rpc.method=RemoveLFTagsFromResource rpc.service=LakeFormation tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=3f1cd927-a02e-5932-7d57-8a9c8401d1f2 tf_resource_type=aws_lakeformation_resource_lf_tags http.request.header.x_amz_date=20251107T115715Z @module=aws
  http.request.body=
  | {"LFTags":[{"CatalogId":"111111111111","TagKey":"layer","TagValues":["raw"]}],"Resource":{"Database":{"CatalogId":"111111111111:s3tablescatalog/tablebucketname","Name":"example_db"}}}
  

GenAI / LLM Assisted Development

n/a

Important Facts and References

No response

Would you like to implement a fix?

No

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.