diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8db265a..af38c35 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [7.12.9] - 2026-04-16
+### Fixed
+- Added `lakeformation:GetDataAccess` and `iam:PassRole` (self) inline policy to `lf_data_access` role, required for LakeFormation credential vending when Glue stats writes column statistics back to the catalog.
+
 ## [7.12.8] - 2026-04-15
 ### Added
 - Added var `create_glue_stats_vendor_role_tbl_permissions` to create LakeFormation table permissions (`DESCRIBE`, `INSERT`, `DELETE`) for the Glue stats service role on all schemas.
diff --git a/lf.tf b/lf.tf
index 2b112a7..038572a 100644
--- a/lf.tf
+++ b/lf.tf
@@ -444,3 +444,26 @@ resource "aws_iam_role_policy" "lf_data_access_cloudwatch" {
 }  
 EOF
 }
+
+resource "aws_iam_role_policy" "lf_data_access_pass_role" {
+  count = var.create_lf_resource && var.create_lf_data_access_role ? 1 : 0
+  name  = "pass_role_and_lf_data_access"
+  role  = aws_iam_role.lf_data_access[0].id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid      = "LakeFormationDataAccess"
+        Effect   = "Allow"
+        Action   = "lakeformation:GetDataAccess"
+        Resource = ["*"]
+      },
+      {
+        Sid      = "PassRole"
+        Effect   = "Allow"
+        Action   = "iam:PassRole"
+        Resource = [aws_iam_role.lf_data_access[0].arn]
+      }
+    ]
+  })
+}