Practice VA-003 Manage Vault leases questions with full explanations on every answer.
Start practicing
Manage Vault leases — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A DevOps team is using Vault's database secrets engine to generate dynamic credentials for a PostgreSQL database. They notice that the lease duration is set to 24 hours, but security policy requires that credentials expire after 1 hour. What should the team do to enforce the 1-hour expiration without changing the default lease TTL for all secrets?
2An organization uses Vault to issue certificates via the PKI secrets engine. They have set the default lease TTL on the PKI mount to 72h, and the role's ttl to 24h. A user requests a certificate with a requested TTL of 48h. What will be the actual TTL of the issued certificate?
3Which TWO of the following actions can reduce the number of active leases in Vault? (Select two.)
4A developer runs the commands shown in the exhibit. After renewing the lease, the lease_duration remains 1 hour. What is the most likely reason?
5A company runs a microservices application on Kubernetes. Each service authenticates to Vault using the Kubernetes auth method and obtains a short-lived token with a TTL of 15 minutes. The services use these tokens to read secrets from the KV v2 secrets engine. Recently, the operations team noticed that Vault's lease count has been steadily increasing, and some services are experiencing 'lease not found' errors when trying to renew their tokens. Investigation reveals that the services are not renewing tokens before they expire because the token TTL is too short to complete some long-running tasks. The team wants to fix the issue without compromising security. They are considering the following actions: A. Increase the default lease TTL for the KV v2 mount to 1 hour. B. Increase the token TTL for the Kubernetes auth role to 1 hour. C. Implement a renewal loop in each service to renew tokens every 10 minutes. D. Use periodic tokens with a period of 1 hour for all services.
6A DevOps team uses Vault dynamic secrets for database credentials with a lease of 1 hour. They notice that applications are making excessive calls to renew leases, causing performance issues. The team wants to reduce the renewal frequency while maintaining security. What is the best approach?
7A Vault administrator needs to manage leases for dynamic secrets. Which TWO of the following are valid operations related to lease management?
8A developer is troubleshooting an application that uses Vault's PostgreSQL secrets engine. The application successfully obtains a database credential from Vault, but after 30 minutes, the application starts receiving authentication errors from the database. The developer checks the Vault audit logs and sees that the lease for the credential was revoked. The lease was originally created with a TTL of 1 hour. The application is not renewing the lease. The developer wants to fix the issue so that the credential works for the full 1 hour. What should the developer do?
9A company uses Vault to manage database credentials for its applications. The applications request a one-hour TTL for database secrets, but the database engine's default lease TTL is set to 24 hours. The Vault administrator wants to ensure that leases are revoked promptly after the applications finish using them, to minimize the window of exposure. Which approach best achieves this goal?
10An organization uses Vault's AWS secrets engine to generate temporary IAM credentials. The Vault administrator has set the default lease TTL on the AWS mount to 15 minutes. A developer creates a role with role TTL of 30 minutes and explicit max TTL of 1 hour. Which TWO statements are true regarding the lease behavior for credentials generated under this role?
11Drag and drop the steps to configure Vault's audit logging to a file into the correct order.
12Match each Vault term to its definition.
13An administrator notices that after revoking a specific lease, the underlying database credential is still accessible. What is the most likely cause?
14What command is used to view the remaining time on a lease?
15A Vault cluster is sealed. An operator attempts to renew a lease but gets an error. What is the most likely error?
16A developer wants to ensure that their application automatically renews its secret leases before expiration. Which approach is recommended?
17Which of the following best describes a Vault lease?
18An operator runs vault lease list and sees many expired leases. Why are expired leases still listed?
19What happens when a lease reaches its TTL?
20A security policy requires that all leases must be revoked within 1 hour of creation. Which setting should be configured on the secret engine mount?
21After a Vault migration, some leases are no longer valid and cause errors. What is the best way to force a cleanup of all leases under a specific mount without affecting other mounts?
22Which two commands can be used to manually revoke leases? (Choose two.)
23Which three statements about lease renewal are correct? (Choose three.)
24Which two of the following are valid lease operations? (Choose two.)
25Refer to the exhibit. An operator wants the credential to be valid for exactly 2 hours. What should they do?
26Refer to the exhibit. A user with this policy can successfully read credentials but cannot renew the lease. What is the missing capability?
27Refer to the exhibit. What is the most likely cause of this error?
28A DevOps team uses Vault to generate temporary database credentials. They notice that some applications are failing because their database credentials expire unexpectedly before the expected TTL. The Vault admin configured the database role with a default TTL of 1h and max TTL of 24h. What is the most likely cause?
29An admin wants to revoke all leases associated with a specific AWS IAM user created by Vault. Which command should they use?
30A security team wants to ensure that database credentials generated by Vault are never renewed and have a fixed lifespan of 30 minutes. They configure the role with default_ttl=30m and max_ttl=30m, and set renewable=false. However, they find that some users are able to renew the leases anyway. What could be the reason?
31A Vault administrator wants to configure a role for dynamic secrets with a default TTL of 1 hour and a max TTL of 4 hours. They also want to allow renewal but only up to the max TTL. Which configuration achieves this?
32An admin needs to check the remaining lifespan of a lease. Which command should they use?
33An organization uses Vault with a database secrets engine. They have a role that issues credentials with a lease TTL of 30 minutes. After some time, they notice that the database is full of stale users. What is the most likely cause?
34A Vault operator accidentally revoked a token that was used to lease many database credentials. What happens to the leases associated with that token?
35Which of the following commands would force a lease to expire immediately?
36A company uses Vault to manage SSH OTP credentials. They set the role with default_ttl=5m and max_ttl=30m. Users report that they receive an error when trying to renew the OTP after 10 minutes. What is the most likely reason?
37An admin wants to view all active leases for a specific secrets engine path. Which two approaches are valid? (Choose two.)
38Which of the following factors determine the actual TTL of a lease issued by a secrets engine? (Choose three.)
39An admin needs to revoke all leases associated with a particular policy violation. Which two methods can be used? (Choose two.)
40Based on the exhibit, what is the maximum total lifespan of this lease?
41A developer requests a credential from this role. Which statement about the resulting lease is true?
42A large enterprise runs Vault in a production environment with multiple secrets engines, including databases, AWS, and PKI. Recently, the operations team noticed that the number of active leases has grown significantly, causing performance degradation in Vault. The team suspects that many leases are orphaned or expired but not cleaned up. They run the vault lease tidy command regularly, but the issue persists. The vault audit logs show no errors during revocation. However, the team observes that the database credentials are being revoked correctly, but the PKI certificates are not being revoked when their leases expire. Additionally, some AWS IAM user leases seem to persist beyond their max TTL. What is the most likely cause of this issue?
43A development team is using Vault to dynamically generate PostgreSQL credentials for their application. They configured a database role with a max_lease_ttl of 24 hours. However, credentials are becoming invalid after only 1 hour, causing application errors. The team has verified that the credentials are not being explicitly revoked. Which action should the Vault administrator take to resolve this issue?
44An application uses Vault's KV v2 secrets engine to read a static secret (e.g., API key) at path 'secret/data/myapp/config'. The application initially reads the secret and uses the returned lease_id to successfully renew the lease every hour. After a maintenance window, the application starts failing to renew the lease, receiving an error that the lease is not renewable or does not exist. The secret data is still present and accessible via a new read. What is the most likely cause of this failure?
45A Vault operator wants to manage lease durations for secrets issued by a PKI secrets engine. Which two actions can they take to affect the lease duration of certificates?
46A Vault operator runs the command shown in the exhibit and wants to renew the lease before it expires. The operator has a valid token. What must be true for the renewal to succeed?
47A company runs a microservices architecture where each service authenticates to Vault using AppRole and is assigned a role with a periodic token. The operations team notices that some services experience authentication failures after exactly 24 hours of uptime, even though their tokens were initially issued with a TTL of 24 hours and 'renewable' set to true. The services are configured to renew their tokens automatically before expiry. Upon investigation, the Vault logs show the error: 'failed to renew token: token has exceeded its max TTL'. The Vault server is configured with a default 'max_lease_ttl' of 24 hours and a 'default_lease_ttl' of 1 hour at the system level. The AppRole role has no explicit TTL or max TTL set. What is the most likely cause of the failure?
The Manage Vault leases domain covers the key concepts tested in this area of the VA-003 exam blueprint published by HashiCorp. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all VA-003 domains — no account required.
The Courseiva VA-003 question bank contains 47 questions in the Manage Vault leases domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Manage Vault leases domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included