keyvault: Providing a subscription generates a tenant, conflicts with CLI authentication method

[lbordowitz]

Bug Report

Using the following packages (from go.mod):

go 1.25.0

require (
	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0
)

I run the following code:

package main

import (
	"context"
	"fmt"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
)

func main() {
	ctx := context.Background()

	vaultURL := "https://my-vault.vault.azure.net/"
	vaultKey := "my-key"

	credential, _ := azidentity.NewAzureCLICredential(&azidentity.AzureCLICredentialOptions{
		Subscription: "xxxxxxxxxxx",
		TenantID:     "",
	})
	client, _ := azkeys.NewClient(vaultURL, credential, nil)

	keyInfo, err := client.GetKey(ctx, vaultKey, "", nil)
	if err != nil {
		fmt.Printf("get key err: %+v", err)
		return
	}
	fmt.Printf("key info: %+v\n", *keyInfo.Key.KID)
}

I've provided a SubscriptionID but no tenant. In fact, I've explicitly excluded a tenant. However, when I run this, I get the following error message:

get key err: AzureCLICredential: ERROR: Please specify only one of subscription and tenant, not both

What appears to be going on is that deep inside the internal keyvault code, the client helpfully parses and includes the tenant from the request as part of the TokenRequestOptions. Those are passed through as opts.TenantId which subsequently sets both tenant and subscription in the CLI command

For reference, I am an OpenTofu developer working on an issue (opentofu/opentofu#3520) which deals with how key encryption specifically does not handle this appropriately, especially in conjunction with azurerm provider. That provider uses Hashicorp's go-azure-sdk, which has logic to prevent setting both tenant and subscription simultaneously. The ideal solution would be incorporating similar logic in azure_cli_credential.go.