In Azure, the recommended place to store application secrets is Azure Key Vault. ASP.NET Core makes it easy for an application to read secrets from Key Vault, but the application needs to be given valid credentials to do so.
Key Vault allows us to separate the roles of key managers, key consumers, and developers. The separation is important in the production data environment.
ASP.NET Core supports Azure Key Vault as a configuration source. But I would not want to put a client id and secret in the configuration somewhere. It would kind of defeat the purpose of using Key Vault. So why don't we use Azure AD Managed Service Identity to get tokens for Key Vault, and get the configuration that way?
This article shows how to create an Azure Resource Manager (ARM) template which uses an Azure Key Vault. The ARM template is used to deploy an ASP.NET Core application as an Azure App Service. By using an Azure Resource Group project, the secret app settings can be fetched from the Azure Key Vault during deployment, and deployed to the Azure App Service. This makes it easy to automate the whole deployment process, and no secrets are added to the source.