Why 'Missing Key-Pair-Id query parameter or cookie value'

Question

I am trying use signed url to serve S3 bucket as private content via AWS cloudfront.

However I keep getting this error 'Missing Key-Pair-Id query parameter or cookie value'

<Error>
<Code>MissingKey</Code>
<Message>
Missing Key-Pair-Id query parameter or cookie value
</Message>
</Error>

Here is an example url

http://test.example.com/TestContent/test.html?Expires=1431195459&Signature=DSk8HwFScg6EFJla1p8UHB9EM28zXB7k5AwrXZjzByzdlTSMCG-md6MvUFT~pneaahfPbCcvxNWqZNYu5Dc1IE1JrjOhFP52APFsVmJDlPmqoQzOoCECclEsSvMpTPgva8L4TazDLtI6E5EuV632y76ZA8XoT2KHhzcj7ux9XhvQ6wyiiQxK9rb13sZJ~Cm~4qI-028dd6UkEIu1tUIM~SFh72wYjik7v8sfz2z5T5bZGZJrrfryO0zA9wpkabFA8JkrmfuBm55XWqcVk5OSOkrNn7iyuXwmrEeBJxufaiWE84UbfS8He12fh6~-seTr7UnOCtC4mBf4qlGsxCzKiw__&Key-Pair-Id=my-test-key

I have verified that I do not have any invalid characters ('+', '=', '/') in the signature.

And Key-Pair-Id is clearly present in the signed url.

My questions:

1) my-test-key is created using my IAM. Is it a problem?

2) Is it a must to provide a policy in a signed url?

3) Do I need to grant any permission to the object TestContent/test.html to the OAI?

Edit

If I change the Key-Pair-Id value to something else, I will get a different error message

<Error>
<Code>InvalidKey</Code>
<Message>Unknown Key</Message>
</Error>

So apparently Key-Pair-Id is accepted by aws cloudfront.

Answer 1

You have to use CloudFront specific key pairs. More information on how to download or upload your own public key:

http://docs.aws.amazon.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#KeyPairs

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs