[Enhancement Proposal] Support "bring your own access token"

[jiasli]

Is your feature request related to a problem? Please describe.

We have received several feature requests that the user would like to provide their own access token, without interacting with AAD.

Azure PowerShell cmdlet Connect-AzAccount supports -AccessToken.

Describe the solution you'd like

1. az login should support either

   • --access-token argument which accepts an access token with Subscriptions - List permission:

     az login --access-token <access_token>
     

   • both --access-token (may not have Subscriptions - List permission) and --subscription which explicitly specifies the default subscription (also see [Enhancement Proposal] Support --subscription in az login #14933):

     az login --access-token <access_token> --subscription <subscription_id>
     

2. Each az command should support a global argument --access-token which can be used together with --subscription to invoke ARM request:

   az group list --access-token <access_token> --subscription <subscription_id>
   

   I previously made a prototype: [Demo] Allow specifying a custom access token jiasli/azure-cli#12

3. Consume an environment variable AZURE_CLI_ACCESS_TOKEN so that all commands can use the same access token:

   export AZURE_CLI_ACCESS_TOKEN=<access_token>
   az group list
   

   Also, since environment variables are preserved in memory, is it much safer than saving the access token to hard disk. Also see Enable authentication via environment variables #10241

[yonzhan]

Enhancement Proposal

[jiasli]

Azure CLI can take advantage of TokenCredential if Azure/azure-sdk#2189 is implemented.