As noted in the discussion around adding MFA support for Okta, in order to accept additional input from an end-user you need to use a workaround: getpass.getpass or STDERR.

I would like to add a couple more features relative to Okta: dynamic role discovery and selection, as well as aws account selection. These would involve accepting input from the end-user, so, it would be great to have a different way to communicate back to the main AWS CLI tool other than STDOUT.