生成CloudFront签名的URL时出现问题;始终拒绝访问

我在用cloudfront生成签名url时遇到问题。无论我尝试什么,我都会得到拒绝访问的响应。

我在cloudfront中创建了一个分发版和一个cloudfront密钥对id,并下载了该密钥对id的私钥和公钥。

在一个简单的php脚本中,我尝试以下操作:

use Aws\CloudFront\CloudFrontClient;

$cloudfront = new CloudFrontClient([
    'credentials' => [
        'key' => '[redacted]', // Access key ID of IAM user with Administrator policy
        'secret' => '[redacted]', // Secret access key of same IAM user
    ],
    'debug' => true,
    'region' => 'eu-west-1',
    'version' => 'latest',
]);

$expires = strtotime('+6 hours');

$resource = 'https://[redacted].cloudfront.net/mp4/bunny-trailer.mp4';

$url = $cloudfront->getSignedUrl([
    'url' => $resource,
    'policy' => json_encode([
        'Statement' => [
            [
                'Resource' => $resource,
                'Condition' => [
                    'DateLessThan' => [
                        'AWS:EpochTime' => $expires,
                    ],
                ],
            ],
        ],
    ]),
    'expires' => $expires,
    'key_pair_id' => '[redacted]', // Access key ID of CloudFront key pair
    'private_key' => '[redacted]', // Relative path to pk-[redacted].pem file
]);

但是当访问生成的url时,它总是在浏览器中给出一个错误,代码为“accessdenied”。

我做错什么了?