: Add the ecr:GetAuthorizationToken permission to your Glue job's service role. For broader access, you can attach the AmazonEC2ContainerRegistryFullAccess policy, though limiting it to read-only is recommended for security.
: For ECR-based connectors, you may need Interface VPC Endpoints for ECR (both com.amazonaws.[region].ecr.api and com.amazonaws.[region].ecr.dkr ) if you are not using a NAT Gateway. 3. Security Group Restrictions glue etl marketplace - failed to download connector
If you've encountered the error while running an AWS Glue job, you're not alone. This error typically occurs during the job's initialization phase when Glue attempts to fetch the required connector assets—often stored as Docker images in Amazon Elastic Container Registry (ECR) or as JAR files—but is blocked by permission or network constraints. Top Causes and Solutions 1. Missing IAM Permissions (ECR Access) : Add the ecr:GetAuthorizationToken permission to your Glue
: Add a self-referencing inbound rule to the security group used by your Glue connection. This should allow all TCP traffic from the same security group ID. 4. Marketplace Subscription Issues Sometimes the failure isn't technical but administrative. Top Causes and Solutions 1
: If the connector is being pulled from S3, ensure you have an S3 VPC Gateway Endpoint configured.
Troubleshooting AWS Glue ETL Marketplace: "Failed to Download Connector"
: Ensure your VPC subnet has a route to a NAT Gateway in a public subnet.