Launch Error Glue Etl Marketplace - Failed To [verified] Download Connector -

Verify the Glue execution role has AmazonEC2ContainerRegistryReadOnly .

Even with perfect networking, the Glue job will fail if its execution role is not authorized to pull the connector image from ECR. Update your Glue Connection properties by setting the

If you are in an AWS Organization, ensure that no SCPs are explicitly denying ECR or Marketplace actions, as these will override any local IAM permissions you grant. 3. Alternative: Private ECR Workaround Update your Glue Connection properties by setting the

Attach the AWS-managed policy AmazonEC2ContainerRegistryReadOnly to your Glue service role. This provides the minimum necessary permissions to download the connector container. Update your Glue Connection properties by setting the

Update your Glue Connection properties by setting the CONNECTOR_URL to point to your private ECR URI.

For a more secure, internal-only setup, you can configure Interface VPC Endpoints for Amazon ECR ( com.amazonaws.[region].ecr.api and com.amazonaws.[region].ecr.dkr ) and a Gateway VPC Endpoint for Amazon S3 to allow the job to pull the connector image without traversing the internet.

Confirm the security group for the connection allows outbound traffic on port 443.