Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsVA-003DomainsManage Vault leases
VA-003Free — No Signup

Manage Vault leases

Practice VA-003 Manage Vault leases questions with full explanations on every answer.

47questions

Start practicing

Manage Vault leases — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

VA-003 Domains

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice Manage Vault leases questions

10Q20Q30Q50Q

All VA-003 Manage Vault leases questions (47)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A DevOps team is using Vault's database secrets engine to generate dynamic credentials for a PostgreSQL database. They notice that the lease duration is set to 24 hours, but security policy requires that credentials expire after 1 hour. What should the team do to enforce the 1-hour expiration without changing the default lease TTL for all secrets?

2

An organization uses Vault to issue certificates via the PKI secrets engine. They have set the default lease TTL on the PKI mount to 72h, and the role's ttl to 24h. A user requests a certificate with a requested TTL of 48h. What will be the actual TTL of the issued certificate?

3

Which TWO of the following actions can reduce the number of active leases in Vault? (Select two.)

4

A developer runs the commands shown in the exhibit. After renewing the lease, the lease_duration remains 1 hour. What is the most likely reason?

5

A company runs a microservices application on Kubernetes. Each service authenticates to Vault using the Kubernetes auth method and obtains a short-lived token with a TTL of 15 minutes. The services use these tokens to read secrets from the KV v2 secrets engine. Recently, the operations team noticed that Vault's lease count has been steadily increasing, and some services are experiencing 'lease not found' errors when trying to renew their tokens. Investigation reveals that the services are not renewing tokens before they expire because the token TTL is too short to complete some long-running tasks. The team wants to fix the issue without compromising security. They are considering the following actions: A. Increase the default lease TTL for the KV v2 mount to 1 hour. B. Increase the token TTL for the Kubernetes auth role to 1 hour. C. Implement a renewal loop in each service to renew tokens every 10 minutes. D. Use periodic tokens with a period of 1 hour for all services.

6

A DevOps team uses Vault dynamic secrets for database credentials with a lease of 1 hour. They notice that applications are making excessive calls to renew leases, causing performance issues. The team wants to reduce the renewal frequency while maintaining security. What is the best approach?

7

A Vault administrator needs to manage leases for dynamic secrets. Which TWO of the following are valid operations related to lease management?

8

A developer is troubleshooting an application that uses Vault's PostgreSQL secrets engine. The application successfully obtains a database credential from Vault, but after 30 minutes, the application starts receiving authentication errors from the database. The developer checks the Vault audit logs and sees that the lease for the credential was revoked. The lease was originally created with a TTL of 1 hour. The application is not renewing the lease. The developer wants to fix the issue so that the credential works for the full 1 hour. What should the developer do?

9

A company uses Vault to manage database credentials for its applications. The applications request a one-hour TTL for database secrets, but the database engine's default lease TTL is set to 24 hours. The Vault administrator wants to ensure that leases are revoked promptly after the applications finish using them, to minimize the window of exposure. Which approach best achieves this goal?

10

An organization uses Vault's AWS secrets engine to generate temporary IAM credentials. The Vault administrator has set the default lease TTL on the AWS mount to 15 minutes. A developer creates a role with role TTL of 30 minutes and explicit max TTL of 1 hour. Which TWO statements are true regarding the lease behavior for credentials generated under this role?

11

Drag and drop the steps to configure Vault's audit logging to a file into the correct order.

12

Match each Vault term to its definition.

13

An administrator notices that after revoking a specific lease, the underlying database credential is still accessible. What is the most likely cause?

14

What command is used to view the remaining time on a lease?

15

A Vault cluster is sealed. An operator attempts to renew a lease but gets an error. What is the most likely error?

16

A developer wants to ensure that their application automatically renews its secret leases before expiration. Which approach is recommended?

17

Which of the following best describes a Vault lease?

18

An operator runs vault lease list and sees many expired leases. Why are expired leases still listed?

19

What happens when a lease reaches its TTL?

20

A security policy requires that all leases must be revoked within 1 hour of creation. Which setting should be configured on the secret engine mount?

21

After a Vault migration, some leases are no longer valid and cause errors. What is the best way to force a cleanup of all leases under a specific mount without affecting other mounts?

22

Which two commands can be used to manually revoke leases? (Choose two.)

23

Which three statements about lease renewal are correct? (Choose three.)

24

Which two of the following are valid lease operations? (Choose two.)

25

Refer to the exhibit. An operator wants the credential to be valid for exactly 2 hours. What should they do?

26

Refer to the exhibit. A user with this policy can successfully read credentials but cannot renew the lease. What is the missing capability?

27

Refer to the exhibit. What is the most likely cause of this error?

28

A DevOps team uses Vault to generate temporary database credentials. They notice that some applications are failing because their database credentials expire unexpectedly before the expected TTL. The Vault admin configured the database role with a default TTL of 1h and max TTL of 24h. What is the most likely cause?

29

An admin wants to revoke all leases associated with a specific AWS IAM user created by Vault. Which command should they use?

30

A security team wants to ensure that database credentials generated by Vault are never renewed and have a fixed lifespan of 30 minutes. They configure the role with default_ttl=30m and max_ttl=30m, and set renewable=false. However, they find that some users are able to renew the leases anyway. What could be the reason?

31

A Vault administrator wants to configure a role for dynamic secrets with a default TTL of 1 hour and a max TTL of 4 hours. They also want to allow renewal but only up to the max TTL. Which configuration achieves this?

32

An admin needs to check the remaining lifespan of a lease. Which command should they use?

33

An organization uses Vault with a database secrets engine. They have a role that issues credentials with a lease TTL of 30 minutes. After some time, they notice that the database is full of stale users. What is the most likely cause?

34

A Vault operator accidentally revoked a token that was used to lease many database credentials. What happens to the leases associated with that token?

35

Which of the following commands would force a lease to expire immediately?

36

A company uses Vault to manage SSH OTP credentials. They set the role with default_ttl=5m and max_ttl=30m. Users report that they receive an error when trying to renew the OTP after 10 minutes. What is the most likely reason?

37

An admin wants to view all active leases for a specific secrets engine path. Which two approaches are valid? (Choose two.)

38

Which of the following factors determine the actual TTL of a lease issued by a secrets engine? (Choose three.)

39

An admin needs to revoke all leases associated with a particular policy violation. Which two methods can be used? (Choose two.)

40

Based on the exhibit, what is the maximum total lifespan of this lease?

41

A developer requests a credential from this role. Which statement about the resulting lease is true?

42

A large enterprise runs Vault in a production environment with multiple secrets engines, including databases, AWS, and PKI. Recently, the operations team noticed that the number of active leases has grown significantly, causing performance degradation in Vault. The team suspects that many leases are orphaned or expired but not cleaned up. They run the vault lease tidy command regularly, but the issue persists. The vault audit logs show no errors during revocation. However, the team observes that the database credentials are being revoked correctly, but the PKI certificates are not being revoked when their leases expire. Additionally, some AWS IAM user leases seem to persist beyond their max TTL. What is the most likely cause of this issue?

43

A development team is using Vault to dynamically generate PostgreSQL credentials for their application. They configured a database role with a max_lease_ttl of 24 hours. However, credentials are becoming invalid after only 1 hour, causing application errors. The team has verified that the credentials are not being explicitly revoked. Which action should the Vault administrator take to resolve this issue?

44

An application uses Vault's KV v2 secrets engine to read a static secret (e.g., API key) at path 'secret/data/myapp/config'. The application initially reads the secret and uses the returned lease_id to successfully renew the lease every hour. After a maintenance window, the application starts failing to renew the lease, receiving an error that the lease is not renewable or does not exist. The secret data is still present and accessible via a new read. What is the most likely cause of this failure?

45

A Vault operator wants to manage lease durations for secrets issued by a PKI secrets engine. Which two actions can they take to affect the lease duration of certificates?

46

A Vault operator runs the command shown in the exhibit and wants to renew the lease before it expires. The operator has a valid token. What must be true for the renewal to succeed?

47

A company runs a microservices architecture where each service authenticates to Vault using AppRole and is assigned a role with a periodic token. The operations team notices that some services experience authentication failures after exactly 24 hours of uptime, even though their tokens were initially issued with a TTL of 24 hours and 'renewable' set to true. The services are configured to renew their tokens automatically before expiry. Upon investigation, the Vault logs show the error: 'failed to renew token: token has exceeded its max TTL'. The Vault server is configured with a default 'max_lease_ttl' of 24 hours and a 'default_lease_ttl' of 1 hour at the system level. The AppRole role has no explicit TTL or max TTL set. What is the most likely cause of the failure?

Practice all 47 Manage Vault leases questions

Other VA-003 exam domains

Compare authentication methodsAssess Vault tokensCreate Vault policiesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Frequently asked questions

What does the Manage Vault leases domain cover on the VA-003 exam?

The Manage Vault leases domain covers the key concepts tested in this area of the VA-003 exam blueprint published by HashiCorp. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all VA-003 domains — no account required.

How many Manage Vault leases questions are in the VA-003 question bank?

The Courseiva VA-003 question bank contains 47 questions in the Manage Vault leases domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Manage Vault leases for VA-003?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Manage Vault leases questions for VA-003?

Yes — the session launcher on this page draws questions exclusively from the Manage Vault leases domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your VA-003 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

TF-003SY0-701