diff --git a/src/object-store/src/config.rs b/src/object-store/src/config.rs
index ea34e238c4..ac976da8f0 100644
--- a/src/object-store/src/config.rs
+++ b/src/object-store/src/config.rs
@@ -16,6 +16,7 @@ use std::time::Duration;
 
 use common_base::readable_size::ReadableSize;
 use common_base::secrets::{ExposeSecret, SecretString};
+use common_telemetry::tracing::warn;
 use opendal::services::{Azblob, Gcs, Oss, S3};
 use serde::{Deserialize, Serialize};
 
@@ -123,11 +124,18 @@ impl From<&S3Connection> for S3 {
     fn from(connection: &S3Connection) -> Self {
         let root = util::normalize_dir(&connection.root);
 
-        let mut builder = S3::default()
-            .root(&root)
-            .bucket(&connection.bucket)
-            .access_key_id(connection.access_key_id.expose_secret())
-            .secret_access_key(connection.secret_access_key.expose_secret());
+        let mut builder = S3::default().root(&root).bucket(&connection.bucket);
+
+        if !connection.access_key_id.expose_secret().is_empty()
+            && !connection.secret_access_key.expose_secret().is_empty()
+        {
+            builder = builder
+                .access_key_id(connection.access_key_id.expose_secret())
+                .secret_access_key(connection.secret_access_key.expose_secret());
+        } else {
+            warn!("No access key id or secret access key provided, using anonymous access");
+            builder = builder.allow_anonymous().disable_ec2_metadata();
+        }
 
         if let Some(endpoint) = &connection.endpoint {
             builder = builder.endpoint(endpoint);