Practice VA-003 Create Vault policies questions with full explanations on every answer.
Start practicing
Create Vault policies — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company wants to grant developers the ability to read and write secrets under the path 'secret/dev/*', but only they should be able to delete their own secrets. Which policy design best meets this requirement?
2Which TWO of the following are valid capabilities that can be specified in a Vault policy?
3A DevOps team is managing secrets for a microservices application using Vault. They have created a policy named 'app-policy' that grants read access to secrets under the path 'secret/data/app/*'. The policy is assigned to an AppRole role. When a service authenticates with the role ID and secret ID, it receives a token but is unable to read secrets from 'secret/data/app/db-creds'. The token's identity metadata shows the policies associated with the token include 'default' and 'app-policy'. The Vault server logs show no errors. The service can successfully read other secrets from the same path, like 'secret/data/app/config'. What is the most likely cause of the issue?
4A security team wants to ensure that all Vault policies for applications follow the principle of least privilege. They have a policy 'app-kv' that grants read access to secrets under 'secret/data/app/*'. An auditor finds that a developer can also read secrets under 'secret/data/team/*'. The policy currently uses a path-based glob. Which change should the team make to restrict access to only the app path?
5A DevOps team is writing a Vault policy for a CI/CD pipeline that needs to authenticate using AppRole, read specific secrets, and write dynamic database credentials. Which THREE capabilities should be included in the policy to meet these requirements? (Choose three.)
6Refer to the exhibit. A developer reports that they cannot read secrets under 'secret/data/kv-v2/engineering/db-pass' using a token that has the above policy attached. What is the most likely cause?
7Drag and drop the steps to create and use a periodic service token in Vault into the correct order.
8Match each Vault command to its function.
9A DevOps team needs to create a Vault policy that allows reading secrets from path "secret/data/app" but only for the key "db_password". They want to enforce this using Vault's policy syntax. Which policy statement achieves this?
10A security administrator wants to create a policy that allows a service to renew its own token and list its own token capabilities, but not create new tokens. Which policy statements should be included?
11A Vault administrator is designing a policy for a CI/CD pipeline that must be able to read dynamic database credentials from "database/creds/my-role" and also write to "secret/data/ci-cd" for storing build artifacts. The policy should follow the principle of least privilege. Which policy statements should be used?
12A Vault operator is crafting a policy for a new application. Which two of the following are valid capabilities in a Vault policy path statement? (Select two.)
13Which three of the following are valid capabilities in a Vault policy path statement? (Select three.)
14A Vault policy must allow a service to read secrets from "secret/data/app" and also be able to renew its own token. Which two policy statements are necessary and sufficient for this requirement? (Select two.)
15Refer to the exhibit. A user with this policy attempts to read the secret at path "secret/data/team-a/admin". What will happen?
16Refer to the exhibit. An application needs to encrypt data using the transit engine with key "app-key". It currently has this policy. Which statement is true?
17Refer to the exhibit. A user with this policy tries to write a new secret to "secret/data/production/db". What will happen?
18A company uses Vault's KV v2 secrets engine. A policy is needed to allow a service to only update existing secrets at path "secret/data/service/config", but not create new ones. Which capabilities should be included?
19An administrator wants to create a policy that grants the ability to list all authentication methods enabled on the Vault server. Which path and capability are required?
20A Vault policy includes the following statement: path "secret/data/+/app" { capabilities = ["read"] }. Which paths would match this policy? (Assume KV v2)
21A policy must allow a user to revoke their own token. Which endpoint and capability are required?
22A Vault policy has the following: path "identity/entity/id/*" { capabilities = ["read", "list"] }. What does this policy allow?
23A Vault cluster has several policies. One policy, "app-policy", contains: path "secret/data/app/*" { capabilities = ["create", "update"] }. Another policy, "admin-policy", includes: path "secret/data/app/db" { capabilities = ["deny"] }. A token is attached with both policies. Can the token write to "secret/data/app/db"?
24A DevOps team has configured a Vault policy to allow reading secrets from the 'secret/data/engineering' path. The policy contains: path "secret/data/engineering/*" { capabilities = ["read", "list"] } However, when a user attempts to read a secret at 'secret/data/engineering/db/password', they receive a permission denied error. What is the most likely cause?
25An organization is implementing Vault policies for the first time. They want to ensure that policies are easy to manage and follow the principle of least privilege. Which approach should they take when creating policies?
26A Vault administrator needs to create a policy that grants users read access only to the secrets that belong to their own team. The team membership is stored in an external identity provider and mapped to Vault entity aliases. The administrator wants to use a templated policy that references the entity's metadata. Which policy syntax accomplishes this goal?
27A developer has a policy that grants 'create' capability on path 'secret/data/team/*'. They successfully create a new secret using 'vault kv put secret/data/team/db', but when they try to update the same secret with new data, they get a permission denied error. What is the most likely cause?
28An organization is creating Vault policies to manage access to secrets across multiple application teams. According to HashiCorp best practices, which two approaches should be taken when designing policies? (Choose two.)
29A company has deployed Vault with an LDAP auth method and has created entity aliases for all users. The company uses KV v2 secrets engine mounted at 'secret/'. Each team's secrets are stored under a path like 'secret/data/team_<team_name>/'. They have multiple teams (engineering, marketing, sales). Currently, an administrator manually creates a separate policy for each team, e.g., path "secret/data/team_engineering/*" { capabilities = ["read", "list"] }. This is becoming cumbersome as new teams are added. The administrator wants to create a single policy that dynamically grants read access to the secrets path corresponding to the user's team, which is stored in the entity's metadata as 'team'. The LDAP auth method is configured to sync group memberships and map to entity aliases, and the entity metadata is correctly populated. Which approach should the administrator take?
30A development team is using the Vault transit secrets engine to encrypt sensitive data in their application. They have created a policy that includes: path "transit/keys/*" { capabilities = ["encrypt", "decrypt"] } and attached it to their application tokens. However, when the application calls the '/v1/transit/encrypt/my-key' endpoint, it receives a permission denied error. The key 'my-key' exists in the transit engine. The team has verified that the token is not expired and has the correct policy attached. What is the most likely cause of the error?
31A Vault administrator needs to create a policy for a developer who must read and list secrets from the path 'secret/data/engineering/' and create new secrets under 'secret/data/engineering/projects/'. Which two policy statements should the administrator include? (Choose two.)
32Refer to the exhibit. Based on the policy shown, which statement is true?
33A company uses Vault's Kubernetes authentication method to provide secrets to pods. Pods in the 'production' namespace need to read secrets from the path 'secret/data/app/prod'. The administrator has created a Vault role that maps the service account to a policy with capabilities ['read', 'list'] on path 'secret/data/app/*'. However, pods report 'permission denied' when trying to read the secrets. The administrator verifies that the service account has the correct Vault role attached and that the Vault token is being used correctly. What is the most likely cause?
The Create Vault policies domain covers the key concepts tested in this area of the VA-003 exam blueprint published by HashiCorp. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all VA-003 domains — no account required.
The Courseiva VA-003 question bank contains 33 questions in the Create Vault policies domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Create Vault policies domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included