Litestream configuration files currently support the following two S3 credential settings:

access-key-id:     AKIAxxxxxxxxxxxxxxxx
secret-access-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxx

There is a third setting needed for some AWS credentials - the session token. This is required when working with time limited credentials created using the STS.AssumeRole() mechanism.

My s3-credentials tool can be used to create these like so:

% s3-credentials create static.niche-museums.com --duration 15m
Assume role against arn:aws:iam::462092780466:role/s3-credentials.AmazonS3FullAccess for 900s
{
    "AccessKeyId": "ASIAWXFXAIOZPAHAYHUG",
    "SecretAccessKey": "Nrnoc...",
    "SessionToken": "FwoGZXIvYXd...mr9Fjs=",
    "Expiration": "2021-11-11 03:24:07+00:00"
}

The obvious design here would be an optional session-token configuration property in the Litestream configuration that would work like this:

access-key-id:     AKIAxxxxxxxxxxxxxxxx
secret-access-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxx
session-token:     FwoGZXIvYXd...mr9Fjs=

It turns out Litestream DOES pick up the AWS_SESSION_TOKEN environment variable, if it is present - so the workaround for this missing feature right now is to run Litestream like so:

AWS_ACCESS_KEY_ID="..." \
AWS_SECRET_ACCESS_KEY="..." \
AWS_SESSION_TOKEN="..." \
litestream replicate fruits.db s3://my-bucket/fruits.db

It looks like this works because the underlying aws/aws-sdk-go library picks that up: https://github.com/aws/aws-sdk-go/blob/e2d6cb448883e4f4fcc5246650f89bde349041ec/aws/credentials/env_provider.go#L66

For completeness this key should indeed be added.