Utilizing machinekey in load-balanced instances without storing decryption key in web.config

Question

I have a load-balanced web app that has two app services, one for east and one for west. An issue has been occurring where AntiForgeryTokens are not being decrypted properly, and in my research this seems to be due to mismatched machinekeys which were automatically generated at runtime on the two app services.

The obvious solution here is to add the machinekey parameter to the web.config in both instances, so the decryption keys are the same.

My issue however, comes from the fact that our repo does not allow any sort of secrets within the repository. Instead, we are required to use Azure Key Vault and dynamically load in the values as the app starts.

My question, is how do I solve this problem without relying on storing secret values in the web.config file? I've tried searching for dynamically setting the decryption key, to no avail. Apologies if this is a common issue.

Answer 1

For application running on windows app service, you can use the settings described here:

It will allow you to inject the same machine key values for all your app services.

IF you enable managed identity, you could store the machine values in key vault and use key vault reference in the app service app settings:

@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)