As noted in the discussion around adding MFA support for Okta, in order to accept additional input from an end-user you need to use a workaround: getpass.getpass or STDERR.

I would like to add a couple more features relative to Okta: dynamic role discovery and selection, as well as aws account selection. These would involve accepting input from the end-user, so, it would be great to have a different way to communicate back to the main AWS CLI tool other than STDOUT.

We considered using domain sockets, but those added too much complexity to development both for the client and server as well as requiring the end user to stand up a daemon. Another option is to hijack the container credential provider, which can be used as a general https credential provider. That again imposes implementation difficulty for the developer and deployment difficulty for the end user.

In the end we went with using stdout because it's exceptionally easy to implement on both sides, and because git itself has had success with that model.

I think what we could really use is a more comprehensive dev guide on how to implement a process provider. There's a few gotchas like this that should be called out.