diff --git a/docs/content/s3.md b/docs/content/s3.md
index 7d4f6a2bb..0d4c9baa4 100644
--- a/docs/content/s3.md
+++ b/docs/content/s3.md
@@ -133,6 +133,44 @@ created in.  If you attempt to access a bucket from the wrong region,
 you will get an error, `incorrect region, the bucket is not in 'XXX'
 region`.
 
+### Anonymous access to public buckets ###
+
+If you want to use rclone to access a public bucket, configure with a
+blank `access_key_id` and `secret_access_key`.  Eg
+
+```
+e) Edit existing remote
+n) New remote
+d) Delete remote
+q) Quit config
+e/n/d/q> n
+name> anons3
+What type of source is it?
+Choose a number from below
+ 1) amazon cloud drive
+ 2) drive
+ 3) dropbox
+ 4) google cloud storage
+ 5) local
+ 6) s3
+ 7) swift
+type> 6
+AWS Access Key ID - leave blank for anonymous access.
+access_key_id> 
+AWS Secret Access Key (password) - leave blank for anonymous access.
+secret_access_key> 
+Region to connect to.
+region> 1
+endpoint> 
+location_constraint> 
+```
+
+Then use it as normal with the name of the public bucket, eg
+
+    rclone lsd anons3:1000genomes
+
+You will be able to list and copy data but not upload it.
+
 ### Ceph ###
 
 Ceph is an object storage system which presents an Amazon S3 interface.
diff --git a/s3/s3.go b/s3/s3.go
index cab693701..3c57e1b55 100644
--- a/s3/s3.go
+++ b/s3/s3.go
@@ -41,10 +41,10 @@ func init() {
 		// AWS endpoints: http://docs.amazonwebservices.com/general/latest/gr/rande.html#s3_region
 		Options: []fs.Option{{
 			Name: "access_key_id",
-			Help: "AWS Access Key ID.",
+			Help: "AWS Access Key ID - leave blank for anonymous access.",
 		}, {
 			Name: "secret_access_key",
-			Help: "AWS Secret Access Key (password). ",
+			Help: "AWS Secret Access Key (password) - leave blank for anonymous access.",
 		}, {
 			Name: "region",
 			Help: "Region to connect to.",
@@ -193,14 +193,19 @@ func s3ParsePath(path string) (bucket, directory string, err error) {
 func s3Connection(name string) (*s3.S3, error) {
 	// Make the auth
 	accessKeyID := fs.ConfigFile.MustValue(name, "access_key_id")
-	if accessKeyID == "" {
-		return nil, errors.New("access_key_id not found")
-	}
 	secretAccessKey := fs.ConfigFile.MustValue(name, "secret_access_key")
-	if secretAccessKey == "" {
+	var auth *credentials.Credentials
+	switch {
+	case accessKeyID == "" && secretAccessKey == "":
+		fs.Debug(name, "Using anonymous access for S3")
+		auth = credentials.AnonymousCredentials
+	case accessKeyID == "":
+		return nil, errors.New("access_key_id not found")
+	case secretAccessKey == "":
 		return nil, errors.New("secret_access_key not found")
+	default:
+		auth = credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
 	}
-	auth := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
 
 	endpoint := fs.ConfigFile.MustValue(name, "endpoint")
 	region := fs.ConfigFile.MustValue(name, "region")