Allow configuring which secrets it'll try to refresh

[flokli]

When running this, there's currently a lot of log spam about trying to update other credentials than the one configured.

It should be possible to only enable certain clients. We can't really derive this from what environment variables are configured right now, as some of them rely on application default credentials passed from a metadata server.