Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsVA-003DomainsCompare and configure secrets engines
VA-003Free — No Signup

Compare and configure secrets engines

Practice VA-003 Compare and configure secrets engines questions with full explanations on every answer.

81questions

Start practicing

Compare and configure secrets engines — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

VA-003 Domains

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice Compare and configure secrets engines questions

10Q20Q30Q50Q

All VA-003 Compare and configure secrets engines questions (81)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A DevOps team uses Vault to store database credentials via the database secrets engine. They notice that after the default lease duration, applications receive errors when trying to connect. The team wants to ensure that applications automatically renew leases before expiration. What should they do?

2

A security team wants to store static secrets like API keys in Vault. They need the secrets to be versioned and support rollback. Which secrets engine should they use?

3

An organization uses the AWS secrets engine to generate IAM users dynamically. They notice that the generated IAM user is not immediately available for use in AWS. What is the most likely reason?

4

A company is using the PKI secrets engine to issue certificates for internal services. They want to ensure that certificates are automatically revoked if a service is decommissioned. What should they implement?

5

A developer wants to use Vault to encrypt sensitive data before storing it in a database. They need to perform encryption and decryption operations without ever exposing the encryption key. Which secrets engine should they use?

6

A company has multiple Vault clusters in different regions. They want to use the replication feature to synchronise secrets across clusters. However, they want to exclude a specific secrets engine from replication for compliance reasons. What should they do?

7

An administrator configured the database secrets engine with PostgreSQL. When an application requests credentials, Vault returns a username and password. However, the application reports that the credentials are not working. What is the most likely cause?

8

A team wants to store configuration data such as feature flags in Vault. They need to be able to list all keys under a path. Which secrets engine supports listing?

9

Which TWO of the following are valid use cases for the Transit secrets engine? (Select exactly 2.)

10

Which THREE of the following are true about the KV v2 secrets engine? (Select exactly 3.)

11

Which TWO of the following are valid secrets engines in Vault? (Select exactly 2.)

12

A financial services company runs a mixed environment of on-premises and cloud workloads. They use Vault Enterprise with performance replication across two data centers: primary in us-east and secondary in eu-west. The secrets engine configuration includes KV v2 for static secrets, database engine for PostgreSQL credentials, and transit for encryption. Recently, the operations team noticed that after a network partition between the data centers, the secondary cluster stopped serving read requests for database credentials, although other secrets like KV v2 were still accessible. The team confirmed that the replication status shows 'secondary' and the cluster is healthy. The Vault configuration uses a single replication path filter that includes all mounts. What is the most likely reason for the database credentials not being available on the secondary?

13

A SaaS startup uses Vault to manage secrets for their microservices architecture. They have enabled the KV v2 secrets engine at 'secret/' and the database secrets engine at 'database/'. Developers often need to read application configuration from 'secret/app/config' and database credentials from 'database/creds/app-role'. Recently, the security team mandated that all secrets must be encrypted at rest using Vault's seal mechanism. They configured Vault to use AWS KMS as the seal. After enabling the seal, they noticed that reading from 'secret/app/config' still works, but reading from 'database/creds/app-role' returns an error: 'Error making API request: Code: 500. Errors: * 1 error occurred: * failed to decrypt data'. What is the most likely cause?

14

A company uses Vault to manage database credentials for a production PostgreSQL cluster. The application team reports that dynamic credentials generated from the database secrets engine are being revoked before the application has finished using them. The Vault lease TTL is set to 1 hour, but the application workload sometimes runs for up to 2 hours. What is the MOST efficient way to ensure credentials remain valid for the full workload duration?

15

A DevOps team is configuring the AWS secrets engine to generate IAM users with dynamic credentials. They want to ensure that each Vault-generated IAM user is automatically deleted when its lease expires. Which TWO configuration steps are required to achieve this? (Choose two.)

16

An administrator runs the commands shown in the exhibit. Later, they run 'vault kv delete kv-v2/secret' and then 'vault kv undelete -versions=1 kv-v2/secret' to recover the secret. Which command must the administrator run to verify that the secret is now readable?

17

A financial services company runs a microservices application on Kubernetes. Each service needs to authenticate to Vault using Kubernetes auth and then read secrets from a shared KV v2 engine mounted at 'shared-kv'. The security team requires that Service-A can only read secrets under 'shared-kv/team-alpha/*' and Service-B can only read secrets under 'shared-kv/team-beta/*'. The Vault administrator has already configured the Kubernetes auth method and created roles for each service with bound service account names. However, both services are currently able to read all paths under 'shared-kv/'. The administrator wants to enforce the least privilege access. Which course of action should the administrator take?

18

A company wants to securely store database credentials for a dynamic application that spins up new instances frequently. They need to ensure each instance gets a unique, time-limited username/password pair with minimal operational overhead. Which approach should they use?

19

Which TWO of the following are valid methods to enable a secrets engine at a non-default path in Vault?

20

A DevOps engineer creates the configuration above. After testing, they notice that the generated database credentials are not being revoked after the TTL expires. What is the most likely cause?

21

Drag and drop the steps to configure Vault's database secrets engine with PostgreSQL into the correct order.

22

Match each Vault storage backend to its description.

23

A team wants to store static secrets like database passwords and rotate them periodically. Which secrets engine should they enable?

24

An application needs to obtain short-lived, time-limited credentials to access an external database using username/password authentication. Which secrets engine should be used?

25

A security team wants to ensure that secrets stored in Vault are encrypted in transit and at rest, and that even Vault administrators cannot read the plaintext secret values. Which configuration is required?

26

An organization needs to automatically issue X.509 certificates for internal services. Which secrets engine should they use?

27

A company wants to use Vault to generate IAM users dynamically for each application, following the principle of least privilege. Which secrets engine configuration should they use?

28

An administrator enables the database secrets engine for PostgreSQL. After configuring the connection, running `vault write database/config/someconfig` yields error: 'x509: certificate signed by unknown authority'. What is the most likely cause?

29

A team is evaluating which secrets engines to use for different use cases. Which TWO statements about secrets engines are true?

30

An administrator is configuring the Transit secrets engine for encryption as a service. Which TWO configuration options are valid?

31

A security architect is designing a secrets management solution with Vault. Which THREE secrets engines are most appropriate for dynamically generating credentials for external systems?

32

Refer to the exhibit. A Vault administrator ran the commands shown. What is the result?

33

Refer to the exhibit. After executing these commands, what is the expected behavior?

34

Refer to the exhibit. An application uses this policy to access Vault. The application is able to read database credentials from `database/creds/my-role`. However, attempts to list all roles at `database/roles/` fail. What is the most likely cause?

35

A developer wants to store an API key for their application in Vault using the key-value secrets engine. They need to be able to retrieve the key and also roll back to a previous version if needed. Which secrets engine configuration should they use?

36

A Vault administrator has enabled the PKI secrets engine and configured a root CA. They now need to issue certificates for multiple internal services, each with its own common name (CN). Which is the most efficient way to issue certificates while maintaining security?

37

An organization uses the AWS secrets engine to generate IAM users for each application. They want to ensure that if a Vault server is compromised, the attacker cannot use the AWS secrets engine configuration to gain access to the AWS account. Which additional security measure should be implemented?

38

A company needs to generate short-lived, dynamic database credentials for its MySQL instances. Which secrets engine should be configured?

39

An operator wants to enable the database secrets engine at a custom path 'db-creds'. Which command should be used?

40

A Vault instance was upgraded from version 1.9 to 1.13. After the upgrade, a secrets engine mounted at 'transit/' is unresponsive and returns an error. The engine type is transit. What is the most likely cause?

41

An organization wants to encrypt data in transit and at rest using a centralized key management system. Which secrets engine is designed for encryption/decryption operations without storing data?

42

A team is adopting Vault and wants to organize secrets by application and environment (e.g., production, staging). What is the best practice for secrets engine path naming?

43

A DevOps engineer configures the AWS secrets engine to assume a specific IAM role for generating dynamic credentials. The engine is enabled and the root configuration is set. Which parameter is essential in the role configuration to allow assuming the IAM role?

44

An administrator wants to view all currently enabled secrets engines and their mount paths. Which command provides this information?

45

A developer needs to generate a new certificate for an internal web service using the PKI secrets engine. A role named 'webserver' has been created. What is the correct command to issue the certificate?

46

An organization needs to store secrets with versioning support, allowing rollback to previous secret values. Which KV secrets engine version should be enabled?

47

Which TWO of the following are benefits of using dynamic secrets engines (e.g., database, AWS) over static secrets?

48

Which THREE steps are required to configure the database secrets engine for generating dynamic credentials?

49

Which THREE operations does the transit secrets engine support?

50

An operator needs to enable the KV v2 secrets engine at the path 'team-alpha'. Which command should they run?

51

A development team wants to encrypt sensitive data before storing it in a database. They don't want to manage encryption keys themselves. Which secrets engine should they use?

52

An organization uses a PostgreSQL database. They configure a database secrets engine with a role that grants read-only access. However, after revoking the lease, the database user still exists. What is the most likely cause?

53

Which TWO of the following are valid paths for reading and writing data in the KV v2 secrets engine? (Choose two.)

54

Which THREE of the following are capabilities of the PKI secrets engine? (Choose three.)

55

Which TWO statements are true about the AWS secrets engine? (Choose two.)

56

Refer to the exhibit. A Vault policy allows 'list' on 'secret/data/*'. A user tries to list keys under 'secret/data/' and gets a permission denied error. What is the most likely reason?

57

Refer to the exhibit. An operator issues a certificate using this intermediate CA. The resulting certificate uses SHA1 signature algorithm. The operator wants SHA256. What should they do?

58

Refer to the exhibit. A user deletes the current version of 'secret/myapp' using 'vault kv delete secret/myapp'. What happens to the version?

59

An admin needs to store a configuration value that is unique to each Vault client and must not be shared. Which secrets engine should they use?

60

A company needs to automatically generate short-lived database credentials for developers. Which secrets engine should they use?

61

An organization uses the Transit secrets engine to encrypt sensitive files. They want to rotate the encryption key regularly without re-encrypting all existing files. Which feature allows this?

62

A Vault administrator configures an AWS secrets engine role with credential_type=iam_user and attaches a policy that allows creating EC2 instances. A developer generates credentials and uses them to launch an EC2 instance. Later the lease expires and Vault revokes the IAM user. What happens to the EC2 instance?

63

A Vault operator runs 'vault secrets list' and sees 'cubbyhole/' mounted. What is the purpose of this engine?

64

An operator configures a PKI role with allow_any_name=true and max_ttl=72h. A user requests a certificate with common_name='admin.example.com' and ttl=48h. What is the resulting TTL?

65

An administrator configures a database secrets engine with a role that uses 'creation_statements' and 'revocation_statements'. However, when a lease expires, the database user is not revoked. What is the most likely cause?

66

A DevOps team needs to provide temporary database credentials to applications without storing long-lived passwords. Which secrets engine should they use?

67

An organization wants to use Vault to generate AWS IAM users with specific managed policies attached. They have configured the AWS secrets engine with the appropriate IAM credentials. What step is required to ensure each generated user gets the correct policies?

68

An application is failing to decrypt data using the transit secrets engine. The ciphertext was generated with key 'my-key' version 3, but the engine currently shows key version 5. What is the most likely cause of the failure?

69

A company needs to issue short-lived TLS certificates for internal microservices. They want to set up a private CA using Vault. Which steps are required to configure the PKI secrets engine?

70

After migrating from an older version of Vault, the operator wants to replace the deprecated 'generic' secrets engine with a modern alternative. Which secrets engine should be used to store static key-value pairs?

71

Which TWO of the following are features of the AWS secrets engine compared to the Azure secrets engine?

72

Which THREE steps are required to configure the database secrets engine for a MySQL database?

73

Which TWO best practices should be followed when tuning secrets engine mounts?

74

A team is using Vault's KV v2 secrets engine to store API keys for multiple microservices. They have enabled versioning and need to ensure that when a secret is deleted, it can be recovered within 30 days. Additionally, they want to keep a history of all versions for compliance. The team has noticed that some secrets are being permanently removed immediately instead of moving to a deleted state. Which configuration change should they make to enforce this behavior?

75

An e-commerce application integrates with Vault's transit secrets engine to encrypt sensitive customer data before storing it in a database. The operations team regularly rotates the encryption key (my-key) for compliance. Recently, after a rotation, some old ciphertexts could not be decrypted, causing data retrieval failures. The team checked the key configuration and found that the key version used for encryption (version 2) is still present, but decryption fails with an error: 'decryption key version is not available for decryption'. They verified that the ciphertext includes the key version. What is the most likely cause and resolution?

76

A startup wants to use Vault to manage MySQL database credentials for their development environment. They have a single MySQL database and require that each application gets unique, short-lived credentials that are automatically rotated. The operations team enabled the database secrets engine, configured the MySQL connection, and created a role with a TTL of 1 hour. However, when an application requests credentials using the role, Vault returns an error: 'No more available leases on this role'. The team checks the role's configuration and sees that the 'max_ttl' is set to 1 hour and 'default_ttl' is also 1 hour. What is the most likely cause of this error?

77

A company is using Vault's PKI secrets engine to issue certificates for internal services. They have set up a root CA and an intermediate CA. The intermediate CA's certificate expires soon, and they need to renew it. They generate a new intermediate CSR and have it signed by the root CA. After importing the new intermediate certificate, the team notices that certificates issued by the old intermediate are still valid but new certificate requests fail with 'no valid intermediate CA found'. What step did the team likely miss?

78

A multi-national company uses Vault's AWS secrets engine to manage access to multiple AWS accounts. They have a central Vault cluster and need to generate IAM users in account A that assume a role in account B for cross-account access. The team has configured the AWS secrets engine with the root credentials of account A. They created a role on the engine that should generate STS credentials for the cross-account role. However, when they try to generate credentials, Vault returns an error: 'AccessDenied: User: arn:aws:iam::<accountA>:user/vault-user is not authorized to perform: STS:AssumeRole on resource: arn:aws:iam::<accountB>:role/CrossAccountRole'. What additional configuration is required?

79

Refer to the exhibit. A user has a token with a policy that grants 'read' on 'secret/*'. The user attempts to read the secret at 'secret/data/app' using `vault kv get secret/data/app` but receives a '404 Not Found' error. The user can successfully list the engine at 'secret/' with `vault secrets list`. What is the most likely cause of the 404 error?

80

Which TWO of the following are correct statements about Vault secrets engines?

81

A company uses Vault to store application configuration secrets for multiple teams. The Vault cluster is running in production and has the KV secrets engine enabled at the path 'secret/' using version 2. A DevOps engineer, using a Vault token with full admin access, creates a new secret at 'secret/data/team-a/app-config' using the CLI command 'vault kv put secret/team-a/app-config key=value'. The secret is intended for the CI/CD pipeline, which uses a token with a policy that grants 'read' capability on 'secret/data/*'. The pipeline is configured to read the secret by calling the Vault API at the path 'v1/secret/team-a/app-config'. The pipeline reports a 404 Not Found error. The pipeline engineer verifies that the token is valid and has the correct policy attached. All other secrets in the same path can be read successfully by the pipeline. What is the most likely cause of the 404 error?

Practice all 81 Compare and configure secrets engines questions

Other VA-003 exam domains

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Frequently asked questions

What does the Compare and configure secrets engines domain cover on the VA-003 exam?

The Compare and configure secrets engines domain covers the key concepts tested in this area of the VA-003 exam blueprint published by HashiCorp. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all VA-003 domains — no account required.

How many Compare and configure secrets engines questions are in the VA-003 question bank?

The Courseiva VA-003 question bank contains 81 questions in the Compare and configure secrets engines domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Compare and configure secrets engines for VA-003?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Compare and configure secrets engines questions for VA-003?

Yes — the session launcher on this page draws questions exclusively from the Compare and configure secrets engines domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your VA-003 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

TF-003SY0-701