Azure: add option to force use of CLI credential

[letmaik]

What does this PR change? What problem does it solve?

In Azure, VMs can have multiple identities at the same time, for example a managed identity and an Azure CLI identity. Sometimes the managed identity is not under control of the user but the user can still login with the Azure CLI. In those cases, being able to use the Azure CLI identity with restic makes sense.

DefaultAzureCredential first tries environment variables, managed identity, workload identity, and eventually Azure CLI identity. This PR introduces a new environment variable that forces use of the Azure CLI identity:

export AZURE_FORCE_CLI_CREDENTIAL=true

Was the change previously discussed in an issue or on the forum?

Checklist

• I have read the contribution guidelines.
• I have enabled maintainer edits.
• I have added tests for all code changes.
  • Manually tested.
• I have added documentation for relevant changes (in the manual).
• There's a new file in changelog/unreleased/ that describes the changes for our users (see template).
• I have run gofmt on the code in all commits.
• All commit messages are formatted in the same style as the other commits in the repo.
• I'm done! This pull request is ready for review.

[MichaelEischer]

Adding the environment variable seems ok, I didn't find any easy workarounds to ignore the managed identity.

I have a few comments though, see below.

[MichaelEischer]

LGTM. I've rebased the PR and added a commit to deduplicate the CLI and default credentials case.

[letmaik]

@MichaelEischer Any chance to cut a new release with this? Thanks! :)

[MichaelEischer]

It will still take a few weeks as I want to first wrap up the restore improvements planned for restic 0.17.0

[letmaik]

@MichaelEischer Sorry to be a pain, do you think 0.17.0 will be out by end of next week? We're rolling out an internal policy that will prevent key-based access to storage accounts and without this PR we won't be able to use restic anymore for certain Azure VM scenarios.

[MichaelEischer]

Sorry to be a pain, do you think 0.17.0 will be out by end of next week?

Definitely not before end of next week, a release at the end of next week might be possible, but is somewhat unlikely. There are a few more changes necessary for the restore command before we can cut a new release and I didn't make as much progress as I hoped for.

[rawtaz]

@letmaik Can you please use the latest master build instead, temporarily until the new version is out? It contains the changes you are looking for and is otherwise what would be the next release (except any additional changes between now and the release, of course). It's at https://beta.restic.net/latest/ .

[MichaelEischer]

I've noticed that cherry-picking the PR for a 0.16.5 patch release works. So we can include the change in a release earlier than expected.

[MichaelEischer]

@letmaik 0.16.5 has been released: https://github.com/restic/restic/releases/tag/v0.16.5

[letmaik]

@MichaelEischer Thanks a lot, that's extremely helpful! :)