BlackFriday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

HashiCorp Exam Vault-Associate Topic 1 Question 3 Discussion

Actual exam question for HashiCorp's Vault-Associate exam
Question #: 3
Topic #: 1
[All Vault-Associate Questions]

An organization would like to use a scheduler to track & revoke access granted to a job (by Vault) at completion. What auth-associated Vault object should be tracked to enable this behavior?

Show Suggested Answer Hide Answer
Suggested Answer: C

A lease ID is a unique identifier that is assigned by Vault to every dynamic secret and service type authentication token. A lease ID contains information such as the secret path, the secret version, the secret type, etc. A lease ID can be used to track and revoke access granted to a job by Vault at completion, as it allows the scheduler to perform the following operations:

Lookup the lease information by using the vault lease lookup command or the sys/leases/lookup API endpoint. This will return the metadata of the lease, such as the expire time, the issue time, the renewable status, and the TTL.

Renew the lease if needed by using the vault lease renew command or the sys/leases/renew API endpoint. This will extend the validity of the secret or the token for a specified increment, or reset the TTL to the original value if no increment is given.

Revoke the lease when the job is completed by using the vault lease revoke command or the sys/leases/revoke API endpoint. This will invalidate the secret or the token immediately and prevent any further renewals. For example, with the AWS secrets engine, the access keys will be deleted from AWS the moment a lease is revoked.

A lease ID is different from a token ID or a token accessor. A token ID is the actual value of the token that is used to authenticate to Vault and perform requests. A token ID should be treated as a secret and protected from unauthorized access. A token accessor is a secondary identifier of the token that is used for token management without revealing the token ID. A token accessor can be used to lookup, renew, or revoke a token, but not to authenticate to Vault or access secrets. A token ID or a token accessor can be used to revoke the token itself, but not the leases associated with the token. To revoke the leases, a lease ID is required.

An authentication method is a way to verify the identity of a user or a machine and issue a token with appropriate policies and metadata. An authentication method is not an object that can be tracked or revoked, but a configuration that can be enabled, disabled, tuned, or customized by using the vault auth commands or the sys/auth API endpoints.


Contribute your Thoughts:

Mari
7 months ago
I can see both sides of the argument here. The Lease ID might be the more straightforward option, but the Token-based approach could provide more flexibility and control. It's a tough call.
upvoted 0 times
Denny
7 months ago
C) Lease ID
upvoted 0 times
...
Anastacia
7 months ago
True, but considering the organization's needs, the Token accessor might be the better choice.
upvoted 0 times
...
Malcolm
7 months ago
A) Token accessor
upvoted 0 times
...
Ling
7 months ago
But tracking the Lease ID might be the more straightforward approach in this situation.
upvoted 0 times
...
Nohemi
7 months ago
C) Lease ID
upvoted 0 times
...
Yong
7 months ago
I agree, tracking the Token accessor would provide more flexibility in managing access.
upvoted 0 times
...
Maxima
7 months ago
A) Token accessor
upvoted 0 times
...
...
Jamie
7 months ago
I agree with Refugia. Tracking the Token accessor or Token ID seems like a more robust approach. Relying on the Lease ID feels a bit too indirect to me.
upvoted 0 times
...
Refugia
7 months ago
I'm not so sure about that. Wouldn't tracking the Token accessor or Token ID be a better way to manage the access? That way, you can revoke the token itself instead of just the lease.
upvoted 0 times
...
Nohemi
7 months ago
Hmm, this is an interesting question. I think the answer is C) Lease ID. Vault uses leases to track access granted to a job, and revoking the lease would effectively revoke the access when the job is completed.
upvoted 0 times
...

Save Cancel