InternalFailure on `AWS::LakeFormation::PrincipalPermissions` resource

Name of the resource

Other

Resource Name

AWS::LakeFormation::PrincipalPermissions

Issue Description

I'm having issues with the AWS::LakeFormation::PrincipalPermissions resource to grant permissions to lake formation tags for IAM roles.

The issue only happens when the permissions ASSOCIATE and DESCRIBE are used together, I've tested only with DESCRIBE or only ASSOCIATE, and both work okay.

CloudFormation Event Entry:

CloudFormation Resource:

{
...
"PermissionMyRoleCategory": {
   "Type": "AWS::LakeFormation::PrincipalPermissions",
   "Properties": {
    "Permissions": [
     "ASSOCIATE",
     "DESCRIBE"
    ],
    "PermissionsWithGrantOption": [
     "ASSOCIATE",
     "DESCRIBE"
    ],
    "Principal": {
     "DataLakePrincipalIdentifier": "arn:aws:iam::123456789012:role/my-role"
    },
    "Resource": {
     "LFTag": {
      "CatalogId": "123456789012",
      "TagKey": "Category",
      "TagValues": [
       "*"
      ]
     }
    }
   }
  }
...
}

Expected Behavior

The permissions should be granted and not fail the stack.

Observed Behavior

Only the ASSOCIATE works.
Only the DESCRIBE works.
Both together do not work.
The resources are successfully created in the Lake Formation, but the stack fails and does not revoke the permissions.

Test Cases

Deploy a stack granting permissions on an LF Tag with ASSOCIATE and DESCRIBE at the same time, permissions to an IAM role.

Other Details

No response

aws-cloudformation / cloudformation-coverage-roadmap

InternalFailure on `AWS::LakeFormation::PrincipalPermissions` resource #1381