I've eventually solved the problem.
It seems that Amazon aren't very clear about this ... hidden deep in the bowels of AWS documentation you are instructed to set the bucket permissions on the S3 bucket to allow CloudFront access to it.
Further confusion ensues when you have to set the Principal property on the policy, as it suggests you need to get the Canonical User ID. However, this is NOT the Canonical User ID for your AWS account found on the Security Credentials page .. it is instead found in the "Origin Access Identity" link on the CloudFront console.
Here is how to do it ....
First create/obtain the CloudFront Origin Access Identity like this:-
$oai_id = $cdn->list_oais()->body->CloudFrontOriginAccessIdentitySummary->Id;
if(!$oai_id)
{
$cdn->create_oai('SOME_IDENTIFIER');
$oai_id = $cdn->list_oais()->body->CloudFrontOriginAccessIdentitySummary->Id;
}
Now apply the policy to the bucket to allow CloudFront access:-
$cuid = $cdn->get_oai($oai_id)->body->S3CanonicalUserId;
$policy = new CFPolicy($s3, array(
'Statement' => array(
array( // Statement #1
'Sid' => 'AddPerm',
'Effect' => 'Allow',
'Principal' => array(
'CanonicalUser' => "$cuid"
),
'Action' => array('s3:GetObject'),
'Resource' => array('arn:aws:s3:::'.$bucket.'/*')
)
)
));
// Set the bucket policy
$response = $s3->set_bucket_policy($bucket, $policy);