aws-vault only runs subcommands, there's no API for other languages to use, short of running them _under_ aws-vault. Here's a workaround for Python (3.6+)

aws-vault__login.py

def login():
    if not shutil.which('aws-vault'):
        return boto3.Session()
    if 'AWS_SESSION_TOKEN' in os.environ:
        return boto3.Session()
    if 'AWS_ACCESS_KEY_ID' in os.environ and 'AWS_SECRET_ACCESS_KEY' in os.environ:
        return boto3.Session()
    profile=os.environ.get('AWS_PROFILE', 'default')
    rc = subprocess.run(['aws-vault', 'exec', profile, '--', 'python', '-c',
        'import json,os; print(json.dumps({k:os.environ[k] for k in os.environ if k.startswith("AWS_")}))'],
            check=True, stdout=subprocess.PIPE, stderr=sys.stderr)
    need = json.loads(rc.stdout)
    # too late to put those in os.environ for our benefit, and subprocess ignores changes too
    # Which of these are guaranteed?  We get:
    #   AWS_VAULT AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN
    return boto3.Session(
            profile_name=profile,
            aws_access_key_id=need['AWS_ACCESS_KEY_ID'],
            aws_secret_access_key=need['AWS_SECRET_ACCESS_KEY'],
            aws_session_token=need['AWS_SESSION_TOKEN'],
            )

Note: the above is a simplified version of what I ended up using. The core issue is that AWS does not permit STS token credentials to access any IAM resources unless an MFA was used; this is an implicit policy rule and results in signature verification failures.

You can hard-require MFA for all usage which might touch IAM. You can hard-require MFA on principle. You can use --no-session to avoid using temporary credentials and just export the registered aws_access_key_id/aws_secret_access_key variables into environ.

There's no great answer.