url returned from cloudfront create_signed_url results in 403 response: missing AWSAccessKeyId parameters

[chriddyp]

I'm attempting to use create_signed_url with very similar usage to the test case:

boto/tests/unit/cloudfront/test_signed_urls.py

Lines 356 to 366 in 2d7796a

	def test_canned_policy(self):
	"""
	Generate signed url from the Example Canned Policy in Amazon's
	documentation.
	"""
	url = "http://d604721fxaaqy9.cloudfront.net/horizon.jpg?large=yes&license=yes"
	expire_time = 1258237200
	expected_url = "http://d604721fxaaqy9.cloudfront.net/horizon.jpg?large=yes&license=yes&Expires=1258237200&Signature=Nql641NHEUkUaXQHZINK1FZ~SYeUSoBJMxjdgqrzIdzV2gyEXPDNv0pYdWJkflDKJ3xIu7lbwRpSkG98NBlgPi4ZJpRRnVX4kXAJK6tdNx6FucDB7OVqzcxkxHsGFd8VCG1BkC-Afh9~lOCMIYHIaiOB6~5jt9w2EOwi6sIIqrg_&Key-Pair-Id=PK123456789754"
	signed_url = self.dist.create_signed_url(
	url, self.pk_id, expire_time, private_key_string=self.pk_str)
	self.assertEqual(expected_url, signed_url)

url = "http://d604721fxaaqy9.cloudfront.net/horizon.jpg?large=yes&license=yes"
expire_time = int(time.time()+1000)
signed_url =dist.create_signed_url(url, self.pk_id, expire_time, private_key_string=pk_str)

a request to the resulting URL responds with a 403:

<Error>
<script/>
<Code>AccessDenied</Code>
<Message>
Query-string authentication requires the Signature, Expires and AWSAccessKeyId parameters
</Message>
<RequestId>1395041855FC6A4E</RequestId>
<HostId>
QPuw1CwwjbDp6+IQW22ati6kKLh27s9GixgFl+r1tLdjJjYos3fuctGTxQ3fDdpYRJ1dGAKtgoc=
</HostId>
</Error>

Is AWSAccessKeyId parameter missing from the generated URL (and from the docs? http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-canned-policy.html)