Azure blob storage backend: Fix documentation regarding authentication #16038
Description
The docs on the Azure blob storage backend currently have the following to say with respect to authentication:
Also, set either AZURE_STORAGE_KEY or AZURE_STORAGE_SAS_TOKEN to authorize access. For additional configuration options, see Azure Setup.
This seems to suggest that the backend uses the same authentication mechanism as the pulumi-azure provider, i.e. the same as hashicorp/terraform-provider-azurerm, which in turn uses hashicorp/go-azure-sdk for authentication. In particular, I should be able to configure OIDC authentication in Azure pipelines using the usual variables ARM_TENANT_ID, ARM_CLIENT_ID, ARM_USE_OIDC, ARM_OIDC_REQUEST_URL, ARM_OIDC_REQUEST_TOKEN, ARM_ADO_PIPELINE_SERVICE_CONNECTION_ID etc.
However, looking at the code, it seems in reality the Azure blob storage backend uses the go-cloud SDK, which behind the scenes uses the so-called DefaultAzureCredential from azure-sdk-for-go's azidentity package.
This is the same mechanism that's also used by the azurekeyvault encryption provider, see Pulumi's secrets/cloud/manager.go and go-cloud's secrets/azurekeyvault/akv.go.
In the case of azurekeyvault, however, the Pulumi documentation reflects this.
Unfortunately, as it turns out, the aforementioned DefaultAzureCredential does not support OIDC authentication in Azure pipelines as I had hoped, see also Azure/azure-sdk-for-go#23181, but I will address this elsewhere. For now it would be great if the documentation accurately reflected the usage of DefaultAzureCredential in the Azure blob storage backend.