Azure: add option to force use of CLI credential

internal/backend/azure/azure.go

@@ -101,6 +101,18 @@ func open(cfg Config, rt http.RoundTripper) (*Backend, error) {
 		if err != nil {
 			return nil, errors.Wrap(err, "NewAccountSASClientFromEndpointToken")
 		}
+	} else if cfg.ForceCliCredential {
+		debug.Log(" - using AzureCLICredential")
+
+		cred, err := azidentity.NewAzureCLICredential(nil)
+		if err != nil {
+			return nil, errors.Wrap(err, "NewAzureCLICredential")
+		}
+
+		client, err = azContainer.NewClient(url, cred, opts)
+		if err != nil {
+			return nil, errors.Wrap(err, "NewClient")
+		}
 	} else {
 		debug.Log(" - using DefaultAzureCredential")
 		cred, err := azidentity.NewDefaultAzureCredential(nil)

internal/backend/azure/config.go

@@ -3,6 +3,7 @@ package azure
 import (
 	"os"
 	"path"
+	"strconv"
 	"strings"
 
 	"github.com/restic/restic/internal/backend"
@@ -13,12 +14,13 @@ import (
 // Config contains all configuration necessary to connect to an azure compatible
 // server.
 type Config struct {
-	AccountName    string
-	AccountSAS     options.SecretString
-	AccountKey     options.SecretString
-	EndpointSuffix string
-	Container      string
-	Prefix         string
+	AccountName        string
+	AccountSAS         options.SecretString
+	AccountKey         options.SecretString
+	ForceCliCredential bool
+	EndpointSuffix     string
+	Container          string
+	Prefix             string
 
 	Connections uint `option:"connections" help:"set a limit for the number of concurrent connections (default: 5)"`
 }
@@ -73,6 +75,11 @@ func (cfg *Config) ApplyEnvironment(prefix string) {
 		cfg.AccountSAS = options.NewSecretString(os.Getenv(prefix + "AZURE_ACCOUNT_SAS"))
 	}
 
+	var forceCliCred, err = strconv.ParseBool(os.Getenv(prefix + "AZURE_FORCE_CLI_CREDENTIAL"))
+	if err == nil {
+		cfg.ForceCliCredential = forceCliCred
+	}
+
 	if cfg.EndpointSuffix == "" {
 		cfg.EndpointSuffix = os.Getenv(prefix + "AZURE_ENDPOINT_SUFFIX")
 	}