How to sign Url on behalf of a certain origin access identity (cloud front)

I want two origin access identities for cloud front (and s3). One that can just view content , and another , that can just put content (and maybe another that can just delete )

I know I can create an Origin access identity , and in my s3 bucket policy , I can specify which identity has how much access.

But , while signing urls , I don't see any option to choose this identity. The php code I'm using :

        $customPolicy = <<<POLICY
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"statement1",
         "Effect":"Allow",
         "Action":[
            "s3:CreateBucket", "s3:ListAllMyBuckets", "s3:GetBucketLocation"  
         ],
         "Resource":[
            "arn:aws:s3:::*"
         ]
       }
    ]
}

POLICY;



// Create a signed URL for the resource using the canned policy
        $signedUrlCannedPolicy = $cloudFront->getSignedUrl([
            'url'         => $streamHostUrl . '/' . $resourceKey,
            'private_key' => base_path().'/'.'cloudfront.pem',
            'key_pair_id' => 'my key pair id',
            'policy' => $customPolicy

        ]);

How does one tell aws who to sign on behalf of ? I created a key pair for cloud front following http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs.