I am trying use signed url to serve S3 bucket as private content via AWS cloudfront.
However I keep getting this error 'Missing Key-Pair-Id query parameter or cookie value'
<Error>
<Code>MissingKey</Code>
<Message>
Missing Key-Pair-Id query parameter or cookie value
</Message>
</Error>
Here is an example url
I have verified that I do not have any invalid characters ('+', '=', '/') in the signature.
And Key-Pair-Id
is clearly present in the signed url.
My questions:
1) my-test-key
is created using my IAM. Is it a problem?
2) Is it a must to provide a policy in a signed url?
3) Do I need to grant any permission to the object TestContent/test.html
to the OAI?
Edit
If I change the Key-Pair-Id value to something else, I will get a different error message
<Error>
<Code>InvalidKey</Code>
<Message>Unknown Key</Message>
</Error>
So apparently Key-Pair-Id is accepted by aws cloudfront.
You have to use CloudFront specific key pairs. More information on how to download or upload your own public key:
http://docs.aws.amazon.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#KeyPairs