Skip to main content

Overview

This guide covers user-facing object storage issues. For platform-level issues such as storage node failures, ring inconsistencies, or proxy outages, see the Admin Troubleshooting guide.

Common Issues

403 Forbidden when accessing a container

Cause: Your authentication token belongs to a project that does not have read or write access to the container.Diagnosis:
Check container ACL
openstack container show <container-name> | grep -i "read\|write"
Resolution:
  • If the read ACL does not include your project or user ID, request the container owner to add your identity to the ACL
  • If the container is owned by your project and you still get 403, verify your role assignment includes the object-store:read capability
  • For public containers that return 403, verify the ACL contains .r:*
Cause: The proxy server timeout is shorter than the time needed to upload the file. Files over 5 GB must use the SLO or DLO large object mechanism.Resolution: Use the large object upload procedure described in the Large Objects guide. Split files into 1 GB or smaller segments.For files under 5 GB that still time out, check network bandwidth between your client and the proxy endpoint.
Cause: The archive container was deleted, or object versioning was disabled before the overwrite occurred.Diagnosis:
List archived versions
openstack object list <archive-container>
Resolution:
  • If the archive container exists, list its contents and locate the version by timestamp prefix
  • If the archive container is missing, versions stored there are unrecoverable
  • Versioning must be enabled before overwrites occur — it cannot be applied retroactively
Cause: The temporary URL has expired, or the signing key used to generate it has been changed on the account.Diagnosis:
Check temp URL key
openstack object store account show | grep -i temp
Resolution:
  • If no key is configured, set one first:
    Set temp URL key
    openstack object store account set \
  --property Temp-URL-Key=<your-secret-key>
  • If the key was recently changed, regenerate the temporary URL using the new key
  • Set Temp-URL-Key-2 as a secondary key during rotation to avoid invalidating in-flight URLs immediately
Cause: Object listing uses a prefix filter that doesn’t match, or the container ACL does not include .rlistings for public access.Diagnosis:
List without prefix filter
openstack object list <container>
Resolution:
  • Remove any prefix filter to see all objects
  • For public containers, add .rlistings to the read ACL if directory listing should be accessible: 
    openstack container set \
  --property "X-Container-Read=.r:*,.rlistings" \
  <container>

Diagnostic Commands

openstack object store account show

Next Steps

Admin Troubleshooting

Platform-level issues — 507 errors, ring inconsistencies, proxy latency

Access Control

Review and update container ACL configuration

Versioning

Enable versioning to prevent future data loss from overwrites

Large Objects

Resolve timeouts with proper large object upload procedures