Why 'Missing Key-Pair-Id query parameter or cookie value'

1) my-test-key should not be created under IAM. You need to login to the root account and go to "My Security Credentials" menu under your account-name. Expand "CloudFront Key Pairs" and create new one. Download Private Key file.

2) It is a must to include a policy in the url, but it should be encrypted. Refer to the section "Creating a Policy Statement for a Signed URL That Uses a Custom Policy". http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html

3) No, it shouldn't be granted for any public access. Just have a bucket policy so that your server url is allowed to request a get or any method.

You have to use CloudFront specific key pairs. More information on how to download or upload your own public key:

http://docs.aws.amazon.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#KeyPairs

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs