Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsVA-003DomainsUtilize Vault CLI and API
VA-003Free — No Signup

Utilize Vault CLI and API

Practice VA-003 Utilize Vault CLI and API questions with full explanations on every answer.

62questions

Start practicing

Utilize Vault CLI and API — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

VA-003 Domains

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice Utilize Vault CLI and API questions

10Q20Q30Q50Q

All VA-003 Utilize Vault CLI and API questions (62)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A DevOps engineer needs to write a new secret to the KV v2 engine at path 'secret/data/team' with key 'api_key' and value 'abc123'. Which Vault CLI command achieves this?

2

An admin wants to list all enabled authentication methods using the Vault API. Which curl command is correct?

3

A user wants to log in using the userpass auth method with username 'jdoe' and password 'p@ssw0rd'. What is the correct API endpoint and request?

4

A security team needs to create a token with a custom TTL of 1 hour and associate it with a policy named 'read-only'. Which Vault CLI command accomplishes this?

5

An operator wants to enable the AWS auth method at the default path. Which curl command is correct?

6

Which TWO of the following are valid methods to authenticate to Vault using the CLI?

7

Which THREE of the following are correct about using the Vault API to read a secret from KV v2 engine?

8

Refer to the exhibit. A developer ran the command and received the JSON output. Which command would retrieve only the value of 'api_key' in plain text?

9

Refer to the exhibit. A user has a token that has the 'default' policy attached. What actions can the user perform on 'secret/data/team'?

10

You are a Vault administrator for a large organization. Your team uses a centralized Vault cluster with multiple auth methods enabled, including userpass, LDAP, and approle. Recently, a developer reported that they are unable to authenticate using their userpass credentials, receiving the error 'permission denied'. The developer confirms the username and password are correct. Other developers using userpass can authenticate successfully. The Vault audit logs show that the authentication request for this developer is reaching Vault but failing with 'invalid password'. You have verified that the password is correct by resetting it via the Vault CLI. The developer's userpass entry exists and is not disabled. Which of the following is the most likely cause and correct course of action?

11

Which TWO of the following Vault CLI commands can be used to write data to Vault?

12

A DevOps engineer is tasked with automating the rotation of a static secret stored in Vault's KV secrets engine (version 2). The secret is currently stored at path 'secret/data/app/config' with keys 'username' and 'password'. The engineer wants to update the 'password' key using the Vault CLI from a CI/CD pipeline. The pipeline uses a token with a policy that grants 'create', 'update', and 'read' capabilities on 'secret/data/app/*'. Which CLI command should the engineer use to update only the 'password' key, leaving other keys unchanged?

13

A DevOps engineer is troubleshooting a Vault CLI command that is failing with the error 'Error writing data: Error making API request'. The engineer has verified that the Vault token is valid and unexpired. Which of the following is the most likely cause of this error?

14

A company uses Vault to manage secrets for multiple applications. A new security policy requires that all human users authenticate using LDAP and that all machine-to-machine authentication uses AppRole. An administrator has configured an LDAP auth method at 'ldap/' and an AppRole at 'approle/'. The administrator creates a role 'web-app' with a secret ID TTL of 30 days and a token TTL of 1 hour. After deploying the web application, the application successfully logs in using the AppRole role ID and secret ID, retrieves a token, and reads secrets. However, after 1 hour, the application begins receiving 'permission denied' errors when trying to read secrets. The application logs show that it is using the same token obtained during initial login. Which action should the administrator take to resolve this issue?

15

Drag and drop the steps to set up Vault's Transit secrets engine for encryption/decryption into the correct order.

16

Match each Vault policy capability to its permission.

17

A developer wants to authenticate to Vault using LDAP credentials. Which CLI command should they use?

18

An operator needs to create a token role named 'web-app' with a default TTL of 24 hours. Which API request is correct?

19

A user receives 'permission denied' when running 'vault write secret/data/myapp value=123'. The user's token has a policy that includes 'path "secret/data/*" { capabilities = ["read", "list"] }'. What is the most likely cause?

20

A team wants to retrieve a dynamic database credential from Vault. Which CLI command should be used?

21

An administrator wants to mount the AWS secrets engine at 'aws' path using the API. Which request is correct?

22

A security team must automate periodic credential rotation for a database. The rotation script should run on a server that cannot have the Vault binary installed but can make HTTP requests. Which approach should they use?

23

A user runs 'vault write secret/mydata value=hello' and gets a warning about missing metadata. They intended to store a simple key-value pair. What is the most likely issue?

24

An operator needs to create a periodic token with a period of 36 hours. Which command should they use?

25

A user tries to renew their own token using 'vault token renew -self' and gets 'Error renewing token: Error making API request'. The token is still valid. What could be the cause?

26

A user wants to view information about their current token, including its policies and TTL. Which TWO CLI commands can be used?

27

A policy must allow a user to write a new version of an existing secret in a KV v2 secrets engine. Which TWO capabilities are required on the 'data/' path?

28

An operator needs to perform token lifecycle operations. Which THREE API endpoints are valid for token-related actions?

29

Refer to the exhibit. A user with this policy attempts to read 'secret/data/team/admin'. What will happen?

30

Refer to the exhibit. A user runs 'vault token renew -self' on this token. What is the expected behavior?

31

Refer to the exhibit. A user wants to write a secret 'db_password' with value 's3cret' to this secrets engine. Which CLI command should be used?

32

An administrator wants to retrieve the value of a secret stored at the path 'kv/secret/mykey' using the Vault CLI. Which command should they use?

33

A user attempts to read a secret at path 'secret/data/app' and receives a 403 Forbidden error. What is the most likely cause?

34

An administrator needs to securely provide a one-time use token to a remote service using Vault response wrapping. Which CLI flag or command should they use?

35

An engineer wants to list all secrets under the path 'myapp/' in a KV v2 secrets engine mounted at 'secret/'. Which API call should they make?

36

Which Vault CLI command is used to authenticate a user with a username and password to the userpass auth method?

37

A Vault agent is configured with auto-auth and is used to renew a long-running application's token. Which token type is best suited to minimize interruptions and avoid token renewal failures?

38

When running Vault in development mode, which storage backend is used by default?

39

An administrator has created a policy file named 'app-policy.hcl'. Which command should they use to upload this policy to Vault?

40

A DevOps engineer needs to create a token with a specific policy attached using the Vault API. Which API endpoint and request should they use?

41

Which TWO statements are true when troubleshooting a failed Vault CLI command?

42

Which THREE are benefits of using Vault response wrapping?

43

Which THREE API endpoints are valid for managing policies in Vault?

44

The CLI command returns a 403 error. What is the most likely cause?

45

This Vault agent configuration section is incomplete. What is missing for the AWS auto-auth method to function correctly?

46

A user with this policy wants to delete secrets under the 'team/' path. Which additional capability must be added?

47

A DevOps engineer runs `vault token lookup s.abc123` and receives a permission denied error. The engineer has a valid token with the default policy attached. What is the most likely cause?

48

An administrator wants to write a secret 'myapp' with value 'password=pass123' to the KV v2 secret engine mounted at 'secret/'. Which command should they use?

49

A security team needs to automate the rotation of a database password stored in Vault. The password is currently written as a static secret at 'database/creds/prod'. They want to use the Vault API to read and rewrite the secret, ensuring that the previous version is preserved for audit. The script must handle the case where the secret path may not exist. Which approach should they use?

50

An operator runs `vault lease renew -increment=3600 database/creds/readonly/abc123` and gets an error: 'Error renewing lease: Error making API request. URL: PUT https://vault.example.com/v1/sys/leases/renew. Code: 400. Errors: * invalid lease ID'. What is the most likely cause?

51

An application needs to read a secret using the Vault API after authenticating with an AppRole RoleID and SecretID. The application has already obtained a Vault token. Which API endpoint should be called to read a secret at 'secret/data/myapp' with the token?

52

A Vault cluster has a performance secondary cluster replicating from a primary. An administrator needs to generate a one-time password (OTP) for an SSH target. They are on the secondary cluster. They run `vault write ssh/otp/otp_role ip=10.0.0.1 username=admin`. What is the expected behavior?

53

Which TWO of the following are valid methods to authenticate to Vault using the CLI without using a token? (Choose two.)

54

Which TWO of the following are valid uses of the Vault API for managing leases? (Choose two.)

55

Which THREE of the following are true about using the Vault API with response wrapping? (Choose three.)

56

A company runs a monolithic application that reads database credentials from Vault KV v2 secrets engine at path 'app/db'. The application authenticates using an AppRole with a periodic token that renews automatically. Recently, the application started failing with permission denied errors when reading the secret. The administrator checks the AppRole's secret-id and token but they are valid. The administrator then runs `vault token capabilities $(cat /tmp/token) app/db/data` and gets an empty list. The administrator knows that the token has the 'app-policy' policy attached. They also run `vault read sys/policy/app-policy` and see the policy rules. The policy allows explicit 'read' on 'app/db/data'. What could be the issue?

57

A team is migrating from a monolithic application to microservices. Each microservice needs to authenticate to Vault using its own AppRole. The security team wants to enforce that each AppRole can only read secrets from its own dedicated path (e.g., service-a can only read from 'services/service-a/*', service-b from 'services/service-b/*'). They have created the AppRoles and policies. However, during testing, they notice that service-a can read secrets from service-b's path. The administrator checks the policy for service-a and sees it has a 'capabilities' list on 'services/service-a/*' and also 'services/service-b/*' by mistake. They correct the policy, but the issue persists. What is the most likely reason that service-a still has access?

58

A new administrator is tasked with setting up a Vault development environment. They installed Vault and started the server in dev mode. They want to use the CLI to write and read a secret without authentication. They run `vault kv put secret/hello value=world` but get an error: 'Error writing data to secret/data/hello: Error making API request. URL: PUT https://127.0.0.1:8200/v1/secret/data/hello Code: 403. Errors: * permission denied'. What should they do first to resolve this?

59

An organization uses Vault's AWS secret engine to dynamically generate IAM credentials. The application uses the API to request credentials by calling 'POST /v1/aws/creds/my-role'. Recently, the application started receiving '400 Bad Request' with error 'invalid role ARN'. The role 'my-role' is defined in Vault and has been working for months. The administrator checks the role configuration and confirms the ARN is correct and that the associated IAM policy exists in AWS. The Vault server logs show no connectivity issues with AWS. The application code has not changed. What is the most likely cause?

60

A DevOps engineer is troubleshooting a script that uses the Vault CLI to authenticate and read a secret. The script works when run manually from a terminal, but fails when executed by a CI/CD pipeline. The engineer has verified that the same environment variables (VAULT_ADDR, VAULT_TOKEN) are set in both environments. Which two of the following are likely causes of the failure? (Choose two.)

61

Refer to the exhibit. A user authenticates via the userpass method. The token helper stores the token. The user's default policy grants read access to secret/data/engineering. The user attempts to read secret/data/engineering using `vault kv get secret/engineering`. The command fails with "permission denied". What is the most likely reason?

62

A junior administrator is writing a shell script that will be used by other team members to retrieve static secrets from Vault. The secrets are stored in the KV v2 secrets engine mounted at `secret/`. One particular secret, `credentials`, is located under the path `secret/data/credentials`. The administrator has already authenticated using the Vault CLI with a token that has read access specifically to that path. The environment variables `VAULT_ADDR` and `VAULT_TOKEN` are set correctly to point to the Vault server at `https://vault.example.com:8200` and the valid token. The script needs to run the correct command to retrieve the secret and output its key-value pairs for use by an application. Which command should the administrator include in the script?

Practice all 62 Utilize Vault CLI and API questions

Other VA-003 exam domains

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesExplain Vault architectureExplain encryption as a service

Frequently asked questions

What does the Utilize Vault CLI and API domain cover on the VA-003 exam?

The Utilize Vault CLI and API domain covers the key concepts tested in this area of the VA-003 exam blueprint published by HashiCorp. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all VA-003 domains — no account required.

How many Utilize Vault CLI and API questions are in the VA-003 question bank?

The Courseiva VA-003 question bank contains 62 questions in the Utilize Vault CLI and API domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Utilize Vault CLI and API for VA-003?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Utilize Vault CLI and API questions for VA-003?

Yes — the session launcher on this page draws questions exclusively from the Utilize Vault CLI and API domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your VA-003 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

TF-003SY0-701