Free Preparation Discussions
MENU
HashiCorp Vault-Associate Exam Questions
- Topic 1: Describe Shamir secret sharing and unsealing/ Differentiate between service and batch tokens. Choose one based on use-case
- Topic 2: Differentiate human vs. system auth methods/ Choose an authentication method based on use case
- Topic 3: Compare and configure Vault secrets engines/ Contrast dynamic secrets vs. static secrets and their use cases
- Topic 4: Describe root token uses and lifecycle/ Craft a Vault policy based on requirements
- Topic 5: Be aware of identities and groups/ Explain the value of short-lived, dynamically generated secrets
- Topic 6: Configure authentication methods/ Describe Vault policy syntax: capabilities
- Topic 7: Configure authentication methods/ Describe the encryption of data stored by Vault
- Topic 8: Configure Vault policies/ Access Vault secrets via Curl/ Explain Vault architecture
- Topic 9: Describe authentication methods/ Illustrate the value of Vault policy
- Topic 10: Choose a secret method based on use case/ Explain the purpose of a lease ID
Free HashiCorp Vault-Associate Exam Actual Questions
Note: Premium Questions for Vault-Associate were last updated On Feb. 22, 2025 (see below)
An organization would like to use a scheduler to track & revoke access granted to a job (by Vault) at completion. What auth-associated Vault object should be tracked to enable this behavior?
A lease ID is a unique identifier that is assigned by Vault to every dynamic secret and service type authentication token. A lease ID contains information such as the secret path, the secret version, the secret type, etc. A lease ID can be used to track and revoke access granted to a job by Vault at completion, as it allows the scheduler to perform the following operations:
Lookup the lease information by using the vault lease lookup command or the sys/leases/lookup API endpoint. This will return the metadata of the lease, such as the expire time, the issue time, the renewable status, and the TTL.
Renew the lease if needed by using the vault lease renew command or the sys/leases/renew API endpoint. This will extend the validity of the secret or the token for a specified increment, or reset the TTL to the original value if no increment is given.
Revoke the lease when the job is completed by using the vault lease revoke command or the sys/leases/revoke API endpoint. This will invalidate the secret or the token immediately and prevent any further renewals. For example, with the AWS secrets engine, the access keys will be deleted from AWS the moment a lease is revoked.
A lease ID is different from a token ID or a token accessor. A token ID is the actual value of the token that is used to authenticate to Vault and perform requests. A token ID should be treated as a secret and protected from unauthorized access. A token accessor is a secondary identifier of the token that is used for token management without revealing the token ID. A token accessor can be used to lookup, renew, or revoke a token, but not to authenticate to Vault or access secrets. A token ID or a token accessor can be used to revoke the token itself, but not the leases associated with the token. To revoke the leases, a lease ID is required.
An authentication method is a way to verify the identity of a user or a machine and issue a token with appropriate policies and metadata. An authentication method is not an object that can be tracked or revoked, but a configuration that can be enabled, disabled, tuned, or customized by using the vault auth commands or the sys/auth API endpoints.
The following three policies exist in Vault. What do these policies allow an organization to do?
The three policies that exist in Vault are:
admins: This policy grants full access to all secrets and operations in Vault. It can be used by administrators or operators who need to manage all aspects of Vault.
default: This policy grants access to all secrets and operations in Vault except for those that require specific policies. It can be used as a fallback policy when no other policy matches.
transit: This policy grants access only to the transit secrets engine, which handles cryptographic functions on data in-transit. It can be used by applications or services that need to encrypt or decrypt data using Vault.
These policies allow an organization to perform useful tasks such as:
Encrypting, decrypting, and rewrapping data using the transit engine all in one policy: This policy grants access to both the transit secrets engine and the default policy, which allows performing any operation on any secret in Vault.
Creating a transit encryption key for encrypting, decrypting, and rewrapping encrypted data: This policy grants access only to the transit secrets engine and its associated keys, which are used for encrypting and decrypting data in transit using AES-GCM with a 256-bit AES key or other supported key types.
Separating permissions allowed on actions associated with the transit secret engine: This policy grants access only to specific actions related to the transit secrets engine, such as creating keys or wrapping requests. It does not grant access to other operations or secrets in Vault.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Antione
8 days agoBarney
1 months agoLindy
1 months agoOlive
2 months agoCarlee
2 months agoMarshall
3 months agoAvery
3 months agoWillard
3 months agoLaticia
4 months agoAvery
4 months agoRutha
4 months agoSylvia
5 months agoBette
5 months agoBeatriz
5 months agoJosephine
5 months agoFranchesca
6 months agoElbert
6 months agoYuette
6 months agoWalton
6 months agoMammie
7 months agoLatonia
8 months agoLashaunda
8 months agoBeatriz
9 months agoCassi
9 months agoCordelia
9 months agoMalinda
9 months agoMalcom
11 months ago