IIS Keys: Machine Keys, WAS Keys, IIS Configuration Keys
There are only really two keys not three.
There is the IISConfigurationKey ("Machine Key") Which can live in the webroot, or in the global system config, and the iisWasKey. Essentially you can override the global machine key by having one in the app config.
The Machine Key is used to encrypt configuration sections. This is the key that will be used to encrypt things like configuration strings, and other bits that you can specify as part of the app.config.
The iisWasKey is used to encrypt the application pool identity.
So you need the private key from the machine that setup the IIS configuration on all IIS server in the farm to be able to decrypt and run the config you are pushing out.
Reference 1
Reference 2