OpenStack Swift 401 Unauthorized When Using the swift Command

• Updated March 17, 2019


After setting up an OpenStack Swift Cluster with TempAuth, I wanted to authenticate Swift against Keystone instead of TempAuth. However, I kept encountering 401 Unauthorized errors when running the swift command even though I was fairly certain everything was configured properly.

The following are the errors I encountered (192.168.236.60 is the Swift Proxy node’s IP address).

When running swift list the following error was thrown:

Account GET failed: http://192.168.236.60:8080/v1/AUTH_a72a173cb7a0404a8525548a3c2788c3?format=json 401 Unauthorized  [first 60 chars of response] 401 Unauthorized

This server could not verify that you are 

When running swift stat the following error was thrown:

Account HEAD failed: http://192.168.236.60:8080/v1/AUTH_a72a173cb7a0404a8525548a3c2788c3 401 Unauthorized

In addition, the following was being outputted in /var/log/messages on the Swift Proxy node:

localhost proxy-server: STDOUT: No handlers could be found for logger "keystone.common.cms" (txn: tx2cac3bf28904438bb88a5-0053c048ed)

I’m not sure how relevant that log is, but it was being thrown every time I ran one of the swift commands.

Google searching returns many results trying to troubleshoot the 401 Unauthorized error. Most of the proposed solutions did not apply to my Swift cluster because the original poster was missing configuration parameters that I already had in place.

After comparing the output of swift --debug list from my Swift Cluster to a working Swift Cluster, I discovered the problem.

My Keystone server was configured to use PKI tokens. Apparently, Swift 1.12.0 is not compatible with PKI tokens. With PKI tokens enabled, everything was working in the Horizon Dashboard, but the swift command would always return 401 Unauthorized even though the user I was authenticated as had the admin or SwiftOperator roles.

The fix was to modify Keystone to use UUID tokens. This can be quickly changed by opening /etc/keystone/keystone.conf, searching for token_format, and changing its value from PKI to UUID. Be sure to restart the Keystone service after making the change.

With that change in place, the swift command ran without a problem.

If you found this post useful and would like to help support this site - and get something for yourself - sign up for any of the services listed below through the provided links.

The following links are part of affiliate programs, and I will receive a referral payment from any of the services you sign-up for.

  • Get Faster Shipping: About to order some stuff on Amazon but want to get more value out of the money you would normally pay for shipping? Sign-up for a free, 30-day trial of Amazon Prime to get free two-day shipping, access to thousands of movies and TV shows, and more.
  • Start Investing Now: Looking to start investing some of your saved income? Get started by opening an account with Webull, where upon sign-up and opening a brokerage account with an initial deposit of $100 or more you will receive free stock(s). The promotions are always changing, so be sure to click the link to see the latest.

Thanks for reading and take care.