Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsVA-003DomainsCompare authentication methods
VA-003Free — No Signup

Compare authentication methods

Practice VA-003 Compare authentication methods questions with full explanations on every answer.

60questions

Start practicing

Compare authentication methods — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

VA-003 Domains

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice Compare authentication methods questions

10Q20Q30Q50Q

All VA-003 Compare authentication methods questions (60)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A DevOps team wants to authenticate to Vault using short-lived tokens without storing a secret in their CI/CD pipeline. Which authentication method best meets this requirement?

2

An organization uses Kubernetes pods to access Vault. They want to avoid hardcoding any secrets in the pod definition. Which authentication method should they use?

3

A security team notices that some Vault users are authenticating with the Userpass auth method, but they want to enforce password complexity and expiration. What is the best approach?

4

A company has multiple AWS accounts and wants to allow EC2 instances to authenticate to Vault without storing any secrets on the instances. Which authentication method should they use?

5

An administrator configures AppRole with a RoleID and SecretID. They want to ensure that each SecretID can be used only once. Which configuration should they use?

6

Which authentication method allows a user to authenticate using a one-time password (OTP) generated by an authenticator app?

7

A Vault administrator wants to allow users to authenticate using their corporate Active Directory credentials. Which authentication method should they enable?

8

A company uses Vault for secrets management. They want to authenticate using GitHub tokens, but only for users who are members of a specific GitHub team. What must be configured?

9

Which TWO authentication methods allow a machine to authenticate without storing a static secret? (Choose two.)

10

Which THREE factors contribute to the security of the AppRole authentication method? (Choose three.)

11

Which TWO authentication methods are designed for human users? (Choose two.)

12

A financial services company runs a microservices architecture on Kubernetes. Each microservice needs to authenticate to Vault to retrieve database credentials. The security team mandates that no secrets (tokens, passwords, certificates) be stored in container images or Kubernetes secrets. They also require that each microservice can only access its own secrets. The platform team is evaluating authentication methods. They consider using AppRole, but are concerned about distributing the SecretID. They also consider Kubernetes auth, but are unsure how to restrict access per microservice. They test with a Kubernetes deployment and find that any pod in the namespace can authenticate to Vault. What should they do to meet all requirements?

13

A startup uses Vault to manage secrets for their web application. They currently have a single admin user who authenticates with a root token. They want to allow two developers to authenticate with their own credentials and restrict them to read-only access to a specific path 'secret/data/webapp'. They decide to use the Userpass auth method. The admin creates a user 'dev1' with password 'password123' and assigns a policy 'webapp-readonly' that grants read capability on 'secret/data/webapp'. However, when dev1 tries to log in, Vault returns a permission denied error. The admin checks the token and sees no policies attached. What is the most likely issue?

14

Drag and drop the steps to enable AppRole authentication in Vault into the correct order.

15

Drag and drop the steps to set up Vault's Kubernetes auth method into the correct order.

16

Match each Vault secret engine to its primary purpose.

17

Match each Vault replication type to its behavior.

18

A DevOps team wants to automate authentication to Vault for Jenkins jobs running on AWS EC2 instances. Which authentication method is most appropriate and secure for this use case without storing long-lived credentials?

19

A security administrator notices that a Vault client using AppRole authentication is generating a very large number of tokens, causing performance issues. The administrator finds that the same AppRole role is used by multiple applications. What should the administrator do to reduce the number of tokens while maintaining security?

20

An organization uses Vault with LDAP authentication. Users report they are unable to log in, and the administrator sees errors like 'LDAP bind failed: invalid credentials' in the Vault logs. The LDAP server is reachable. What is the most likely cause?

21

An administrator wants to allow users to authenticate to Vault using their existing corporate GitHub accounts. Which authentication method should be enabled?

22

A company has a Vault cluster and wants to allow applications running in Kubernetes pods to authenticate without storing static secrets. Which Vault authentication method is specifically designed for Kubernetes?

23

During an audit, it is discovered that a single AppRole role is used by hundreds of applications, and it is impossible to revoke access for a single compromised application without affecting others. What should be done to improve the security posture?

24

Which authentication method in Vault uses a shared secret (Role ID) and a dynamic secret (Secret ID) to authenticate machines or applications?

25

A Vault administrator needs to allow users to authenticate using their existing corporate Active Directory credentials. The administrator has configured the LDAP authentication method but users cannot log in. The Vault logs show 'LDAP bind successful' but then 'user not found in group' error. What is the most likely issue?

26

An organization uses Vault with the JWT/OIDC authentication method. After configuring the provider, users can authenticate, but the scopes requested do not include the email claim needed for policy mapping. What should the administrator do?

27

Which TWO of the following are valid authentication methods in HashiCorp Vault? (Choose two.)

28

Which THREE of the following are true statements about the AppRole authentication method? (Choose three.)

29

Which TWO of the following are differences between using Vault's token auth method and other auth methods? (Choose two.)

30

Refer to the exhibit. Which authentication method is currently enabled for production applications?

31

A development team wants to authenticate to Vault using a method that does not require storing secrets in source code and supports automatic rotation of credentials. Which authentication method best meets these requirements?

32

An organization uses AppRole with secret_id generation via the Vault API. Security policy requires that each secret_id can be used only once and must expire after 1 hour. Which configuration option should be set on the AppRole role to enforce this?

33

A company is migrating from on-premises to cloud and needs to authenticate applications using short-lived credentials. They have a mix of workloads: some on AWS EC2, some on Kubernetes, and some in their own datacenter. Which Vault authentication method provides a unified solution that works across all these environments without requiring a shared secret?

34

A CI/CD pipeline runs in a Kubernetes cluster and needs to authenticate to Vault to fetch secrets. The pipeline should not have to manage any long-lived credentials. Which authentication method is most suitable?

35

An administrator wants to use Vault's authentication method that allows users to log in with their corporate credentials via a federated identity system. The credentials are stored in an external identity provider (IdP) and Vault should not store any passwords. Which authentication method should be configured?

36

A large enterprise uses Azure Active Directory as its identity provider. They want to authenticate users to Vault using Azure AD tokens. However, they require that Vault validate the token's signature and claims without contacting Azure AD every time. Which authentication method should they use?

37

A security team wants to allow applications to authenticate to Vault without storing any secrets in configuration files. The applications run on AWS EC2 instances with an IAM role attached. Which Vault authentication method leverages the EC2 instance metadata to obtain credentials?

38

An administrator needs to enable authentication method for human users that integrates with an existing LDAP directory. The company wants to ensure that Vault can perform group-based policy assignment based on LDAP group membership. Which configuration step is mandatory to map LDAP groups to Vault policies?

39

A company uses both userpass and AppRole authentication methods. They notice that tokens issued via AppRole are not properly revoked when the corresponding secret_id is deleted. Which concept explains this behavior?

40

Which TWO authentication methods support multi-factor authentication (MFA) natively within Vault Enterprise?

41

Which TWO statements correctly describe differences between AppRole and Kubernetes authentication methods?

42

Which THREE authentication methods support generating tokens with TTL and renewable options?

43

A Vault administrator runs `vault auth list` and sees the output above. The administrator wants to disable the default token authentication method to improve security. Which command should they run?

44

A user 'john' logs in via the userpass method. The output shows a token with a duration of 768 hours. However, the userpass mount is configured with `token_ttl=24h`. What is the most likely reason for the longer token duration?

45

A Vault administrator is configuring AppRole authentication via the configuration file shown. After running `vault server -config=config.json`, they try to enable AppRole at a different path. What will happen?

46

A DevOps team wants to authenticate a CI/CD pipeline running on a Jenkins server outside Kubernetes. The pipeline needs to obtain short-lived tokens to read secrets. Which authentication method should be used?

47

An organization previously used userpass auth and is migrating to LDAP auth. After enabling LDAP and configuring the bind user, users can authenticate but their policies do not apply. What is the most likely cause?

48

A company uses AWS IAM auth for EC2 instances. An instance with an IAM role 'app-role' successfully logs in, but another instance with the same IAM role receives a permission denied error when trying to authenticate. The Vault server and AWS account are healthy. What is the most likely cause?

49

A security engineer needs to choose an authentication method for a set of microservices running in a Kubernetes cluster that require short-lived secrets. The method should leverage the pod's identity. Which method is best?

50

A company uses OIDC auth for human users. After the OIDC provider rotates its signing keys, some users report that they cannot authenticate. The Vault logs show that the OIDC response validation fails. What is the most likely cause?

51

A company uses Kubernetes auth. A pod in namespace 'prod' with service account 'my-sa' can authenticate and read secrets. After upgrading the Kubernetes cluster, the same pod fails to authenticate with error 'JWT token issuer is not valid'. What is the most likely cause?

52

An administrator wants to allow human users to authenticate using their corporate Active Directory credentials. Which authentication method should they enable?

53

Which TWO statements correctly describe differences between AppRole and Kubernetes authentication methods?

54

Which THREE are best practices when selecting authentication methods for different use cases?

55

Which THREE authentication methods are built into Vault (no plugin required)?

56

A finance company runs a microservices architecture on Kubernetes. Each microservice has its own service account and uses Kubernetes auth to authenticate to Vault and read secrets. Recently, a new microservice 'payment' was deployed in the 'prod' namespace with service account 'payment-sa'. The team created a Vault role with bound_service_account_names=['payment-sa'] and bound_service_account_namespaces=['prod']. The microservice can authenticate and obtains a token, but when it tries to read the secret at path 'secret/data/payments/db', it gets a permissions error. Other microservices in the same namespace with similar roles work fine. The Vault policy for the role includes read access to 'secret/data/payments/*'. What is the most likely issue and correct action?

57

A SaaS company uses AppRole authentication for their CI/CD pipeline. The pipeline runs on a Jenkins server. The pipeline generates a secret ID using the AppRole 'ci-role' and then logs in to Vault to read a database credential. Recently, the pipeline started failing intermittently with errors like 'secret ID is expired' or 'secret ID is used'. The pipeline generates a new secret ID every run. The team verified that the AppRole's secret_id_ttl is set to 0 (unlimited) and the secret_id_num_uses is set to 1. The pipeline runs multiple jobs concurrently, sometimes using the same AppRole. What is the most likely cause and solution?

58

A small company uses Vault with LDAP authentication for their employees. They configured the LDAP auth method pointing to their on-premises Active Directory. Several users report that they can log in to the Vault UI, but they cannot see any secrets in the paths they expect. The administrator verified that the users are in the correct AD groups. The Vault policies are defined and assigned to groups via the LDAP auth method's group mapping. However, the users still have no permissions. What is the most likely root cause and the correct fix?

59

A large e-commerce company uses Vault to manage secrets for their AWS EC2 instances. They use AWS IAM auth. The Vault role is configured with bound_iam_role_arn to match the IAM role 'ec2-app-role'. Most instances work fine. However, a new instance launched with the same IAM role fails to authenticate. The instance can reach Vault (network is fine) and the AWS credentials are valid. The Vault server logs show: 'error validating login: unable to get instance identity document'. The new instance is in a different AWS region (us-west-2) while most others are in us-east-1. Vault is deployed in us-east-1. What is the most likely cause and solution?

60

A company runs its containerized workloads on multiple Kubernetes clusters and also maintains a number of legacy virtual machines running critical applications. The Vault cluster is deployed outside Kubernetes and is used to manage secrets for both environments. The DevOps team has configured the Kubernetes auth method for pods in the Kubernetes clusters, but they are experiencing authentication failures for pods in one specific namespace. Meanwhile, legacy VMs cannot authenticate at all because they are not part of any Kubernetes cluster. The Vault administrator needs to enable authentication for all workloads while minimizing changes to existing applications. The administrator has received the following requirements: containerized pods should authenticate without manual token distribution, legacy VMs should use a method that supports machine-oriented authentication with short-lived tokens, and all authentication should be auditable. Which course of action should the administrator take?

Practice all 60 Compare authentication methods questions

Other VA-003 exam domains

Assess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Frequently asked questions

What does the Compare authentication methods domain cover on the VA-003 exam?

The Compare authentication methods domain covers the key concepts tested in this area of the VA-003 exam blueprint published by HashiCorp. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all VA-003 domains — no account required.

How many Compare authentication methods questions are in the VA-003 question bank?

The Courseiva VA-003 question bank contains 60 questions in the Compare authentication methods domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Compare authentication methods for VA-003?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Compare authentication methods questions for VA-003?

Yes — the session launcher on this page draws questions exclusively from the Compare authentication methods domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your VA-003 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

TF-003SY0-701