HashiCorp · Free Practice Questions · Last reviewed May 2026
48real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A DevOps team wants to authenticate to Vault using short-lived tokens without storing a secret in their CI/CD pipeline. Which authentication method best meets this requirement?
JWT/OIDC
Correct: JWT/OIDC allows token exchange without storing static secrets.
AWS IAM
AppRole
Username & Password
An organization uses Kubernetes pods to access Vault. They want to avoid hardcoding any secrets in the pod definition. Which authentication method should they use?
LDAP
Kubernetes
Kubernetes auth uses the pod's service account token, no hardcoded secrets.
Username & Password
AppRole
A security team notices that some Vault users are authenticating with the Userpass auth method, but they want to enforce password complexity and expiration. What is the best approach?
Migrate users to an external identity provider and use LDAP or OIDC auth.
External IDPs can enforce password policies; Vault can leverage them.
Switch to token-based authentication and issue tokens with TTL.
Use Vault's password policy plugin with Userpass.
Configure password policies in Vault's Userpass auth method.
A company has multiple AWS accounts and wants to allow EC2 instances to authenticate to Vault without storing any secrets on the instances. Which authentication method should they use?
OIDC
AWS
AWS auth uses instance metadata, no secrets stored.
TLS Certificates
AppRole
An administrator configures AppRole with a RoleID and SecretID. They want to ensure that each SecretID can be used only once. Which configuration should they use?
Set token_num_uses=1 in the role.
Set bound_cidr_list to a specific IP.
Set secret_id_ttl=1s in the role.
Set secret_id_num_uses=1 in the role.
secret_id_num_uses limits the number of times a SecretID can be used.
Which authentication method allows a user to authenticate using a one-time password (OTP) generated by an authenticator app?
Okta
Okta supports TOTP via the Okta API.
Userpass
GitHub
LDAP
Want more Compare authentication methods practice?
Practice this domainA DevOps team is using Vault tokens for authentication in CI/CD pipelines. They notice that tokens are often expired before the pipeline completes, causing failures. Which Vault feature should they use to address this without manual intervention?
Use batch tokens for better performance
Use periodic tokens with a short period and allow renewal
Periodic tokens can be renewed before expiration as long as they are within max TTL.
Create orphan tokens so they don't expire with the parent
Increase the default TTL on the token auth method
An application uses a Vault token with a policy that grants read access to secrets. The security team wants to ensure that if the application is compromised, the token cannot be used after a certain time even if the attacker has the token. What is the best approach?
Use a revocation script that runs periodically
Set explicit max TTL on the token
Use a periodic token with a long period
Set a short TTL on the token and do not allow renewal
A short TTL ensures the token expires quickly.
A developer created a token and wants to ensure that the token can only be used to read secrets from the 'secret/data/production' path. Which policy attachment approach should be used?
Set the token's metadata to restrict access
Use a root token and restrict its use via a policy
Create a policy with read capability on 'secret/data/production' and attach it to the token
Policies define access; attaching the policy grants the token those permissions.
Set the token type to service and it will automatically restrict access
A Vault administrator wants to allow a CI/CD pipeline to create short-lived tokens for deployment jobs. The pipeline itself authenticates with a periodic token. Which token type should the pipeline use to create tokens for jobs, considering the jobs need to be independent and not affected by the pipeline token's lifecycle?
Service tokens with explicit max TTL
Orphan tokens
Orphan tokens are not revoked when the parent expires.
Periodic tokens
Batch tokens
An organization uses Vault with AWS IAM auth. After rotating the AWS IAM role credentials, users are unable to authenticate with Vault. The Vault audit logs show 'permission denied' for the AWS auth method. What is the most likely cause?
The IAM role trust policy was not updated after credential rotation
The trust policy must allow the new credentials to assume the role.
The Vault token TTL expired
The client token used for AWS auth is revoked
The AWS secret engine is disabled
A Vault user wants to check the capabilities of their token on a specific path. Which command should they use?
vault token list
vault token capabilities <path>
This shows what actions the current token can perform on the path.
vault policy capabilities <policy_name> <path>
vault token lookup <token>
Want more Assess Vault tokens practice?
Practice this domainA company wants to grant developers the ability to read and write secrets under the path 'secret/dev/*', but only they should be able to delete their own secrets. Which policy design best meets this requirement?
path "secret/dev/*" { capabilities = ["create", "read", "update", "delete", "list"] }
path "secret/dev/*" { capabilities = ["read", "list"] }
path "secret/dev/+/{{identity.entity.name}}" { capabilities = ["create", "read", "update", "delete"] }
path "secret/dev/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "secret/dev/{{identity.entity.name}}/*" { capabilities = ["delete"] }
Correctly grants full access to the dev path, but delete is only allowed on the user's own sub-path using entity name.
Which TWO of the following are valid capabilities that can be specified in a Vault policy?
create
'create' is a valid capability.
write
sudo
rename
update
'update' is a valid capability.
A DevOps team is managing secrets for a microservices application using Vault. They have created a policy named 'app-policy' that grants read access to secrets under the path 'secret/data/app/*'. The policy is assigned to an AppRole role. When a service authenticates with the role ID and secret ID, it receives a token but is unable to read secrets from 'secret/data/app/db-creds'. The token's identity metadata shows the policies associated with the token include 'default' and 'app-policy'. The Vault server logs show no errors. The service can successfully read other secrets from the same path, like 'secret/data/app/config'. What is the most likely cause of the issue?
The secret 'secret/data/app/db-creds' does not exist in Vault.
Other secrets work, so this specific secret likely does not exist.
The token does not have the 'app-policy' policy attached due to a misconfiguration in the role.
There is an explicit deny rule in the policy that denies access to 'db-creds'.
The token is periodic and does not have the correct capabilities for the path.
A security team wants to ensure that all Vault policies for applications follow the principle of least privilege. They have a policy 'app-kv' that grants read access to secrets under 'secret/data/app/*'. An auditor finds that a developer can also read secrets under 'secret/data/team/*'. The policy currently uses a path-based glob. Which change should the team make to restrict access to only the app path?
Change the path to 'secret/data/app/+' and use 'list' capability.
Change the path to 'secret/data/app/*' and add 'deny' capability for other paths.
Keep the path as 'secret/data/app/*' but add a policy with path 'secret/data/team/*' and 'deny' capability.
Change the path to 'secret/data/app/' (without glob) and ensure the policy only grants 'read' capability.
Using a concrete path with trailing slash (or no glob) restricts to that specific path prefix only.
A DevOps team is writing a Vault policy for a CI/CD pipeline that needs to authenticate using AppRole, read specific secrets, and write dynamic database credentials. Which THREE capabilities should be included in the policy to meet these requirements? (Choose three.)
write
create
'create' is needed to generate new database credentials.
read
'read' is required to read secret data.
sudo
update
'update' is needed to rotate or modify database credentials.
Refer to the exhibit. A developer reports that they cannot read secrets under 'secret/data/kv-v2/engineering/db-pass' using a token that has the above policy attached. What is the most likely cause?
The policy requires the 'sudo' capability for reading secrets.
The secret does not exist because the path is incorrect.
The token does not have the policy attached.
The policy itself looks correct; the most likely cause is that the token was not assigned this policy.
The path uses a glob that does not match the exact secret path.
Want more Create Vault policies practice?
Practice this domainA DevOps team is using Vault's database secrets engine to generate dynamic credentials for a PostgreSQL database. They notice that the lease duration is set to 24 hours, but security policy requires that credentials expire after 1 hour. What should the team do to enforce the 1-hour expiration without changing the default lease TTL for all secrets?
Set the mount's max_lease_ttl to 1h.
Ask each developer to set the TTL when requesting credentials.
Configure the role with a ttl of 1h.
The role-level ttl overrides the default lease TTL.
Use a periodic token with a period of 1h.
An organization uses Vault to issue certificates via the PKI secrets engine. They have set the default lease TTL on the PKI mount to 72h, and the role's ttl to 24h. A user requests a certificate with a requested TTL of 48h. What will be the actual TTL of the issued certificate?
The request will be rejected because the requested TTL exceeds the role's ttl.
48h
24h
The role's ttl is the effective TTL when it is lower than the mount default.
72h
Which TWO of the following actions can reduce the number of active leases in Vault? (Select two.)
Reducing the default lease TTL
Shorter TTLs cause leases to expire faster, reducing count.
Revoking a lease
Revocation removes the lease immediately.
Creating a new lease
Increasing the max lease TTL
Renewing a lease
A developer runs the commands shown in the exhibit. After renewing the lease, the lease_duration remains 1 hour. What is the most likely reason?
The lease is not renewable.
The mount's max_lease_ttl is set to 1h.
The developer does not have permission to renew the lease.
The role's max_ttl is set to 1h.
The role max_ttl caps the lease duration.
A company runs a microservices application on Kubernetes. Each service authenticates to Vault using the Kubernetes auth method and obtains a short-lived token with a TTL of 15 minutes. The services use these tokens to read secrets from the KV v2 secrets engine. Recently, the operations team noticed that Vault's lease count has been steadily increasing, and some services are experiencing 'lease not found' errors when trying to renew their tokens. Investigation reveals that the services are not renewing tokens before they expire because the token TTL is too short to complete some long-running tasks. The team wants to fix the issue without compromising security. They are considering the following actions:
A. Increase the default lease TTL for the KV v2 mount to 1 hour. B. Increase the token TTL for the Kubernetes auth role to 1 hour. C. Implement a renewal loop in each service to renew tokens every 10 minutes. D. Use periodic tokens with a period of 1 hour for all services.
Increase the default lease TTL for the KV v2 mount to 1 hour.
Increase the token TTL for the Kubernetes auth role to 1 hour.
Token TTL directly addresses the token expiration issue.
Implement a renewal loop in each service to renew tokens every 10 minutes.
Use periodic tokens with a period of 1 hour for all services.
A DevOps team uses Vault dynamic secrets for database credentials with a lease of 1 hour. They notice that applications are making excessive calls to renew leases, causing performance issues. The team wants to reduce the renewal frequency while maintaining security. What is the best approach?
Increase the default lease TTL to 8 hours and configure periodic tokens with a short TTL.
A longer lease reduces renewal frequency, and periodic tokens ensure the overall lifetime is bounded.
Remove the TTL entirely so that credentials never expire.
Decrease the default lease TTL from 1 hour to 30 minutes.
Increase the maximum TTL for the role to 24 hours.
Want more Manage Vault leases practice?
Practice this domainA DevOps team uses Vault to store database credentials via the database secrets engine. They notice that after the default lease duration, applications receive errors when trying to connect. The team wants to ensure that applications automatically renew leases before expiration. What should they do?
Schedule a cron job to periodically read new credentials.
Set a longer default TTL on the role.
Use Vault Agent to renew the secret.
Vault Agent can automatically renew leases and manage secrets lifecycle.
Set a longer max TTL on the mount.
A security team wants to store static secrets like API keys in Vault. They need the secrets to be versioned and support rollback. Which secrets engine should they use?
Cubbyhole
KV v1
Transit
KV v2
KV v2 supports versioning and rollback of secrets.
An organization uses the AWS secrets engine to generate IAM users dynamically. They notice that the generated IAM user is not immediately available for use in AWS. What is the most likely reason?
The Vault write operation failed due to network latency.
The TTL on the role is too short.
Vault must wait for the AWS secret key to be rotated before returning the user.
AWS IAM is eventually consistent and the user may take a few seconds to propagate.
AWS IAM has eventual consistency, causing a short delay.
A company is using the PKI secrets engine to issue certificates for internal services. They want to ensure that certificates are automatically revoked if a service is decommissioned. What should they implement?
Implement certificate pinning in all services.
Use Vault's built-in lifecycle management and revocation capabilities.
Vault can revoke certificates via API or when lease expires.
Set a very short TTL on certificates so they expire quickly.
Configure a Certificate Revocation List (CRL) that clients check.
A developer wants to use Vault to encrypt sensitive data before storing it in a database. They need to perform encryption and decryption operations without ever exposing the encryption key. Which secrets engine should they use?
PKI
KV v2
Transit
Transit provides encryption as a service without exposing keys.
Database
A company has multiple Vault clusters in different regions. They want to use the replication feature to synchronise secrets across clusters. However, they want to exclude a specific secrets engine from replication for compliance reasons. What should they do?
Create a separate Vault cluster for that secrets engine.
Disable replication on that specific mount.
Use disaster recovery (DR) replication and exclude the mount.
Use performance replication and configure a mount filter.
Performance replication supports mount filtering with path_filter.
Want more Compare and configure secrets engines practice?
Practice this domainA DevOps engineer needs to write a new secret to the KV v2 engine at path 'secret/data/team' with key 'api_key' and value 'abc123'. Which Vault CLI command achieves this?
vault kv put secret/data/team api_key=abc123
vault kv put secret/team api_key=abc123
Correct command; 'vault kv put' writes to KV v2 engine at the specified path (mount path is 'secret/', the secret is 'team').
vault write secret/data/team api_key=abc123
vault write secret/team api_key=abc123
An admin wants to list all enabled authentication methods using the Vault API. Which curl command is correct?
curl -H "X-Vault-Token: s.abc123" https://vault.example.com:8200/v1/sys/auths
curl -H "X-Vault-Token: s.abc123" https://vault.example.com:8200/v1/sys/auth
Correct; GET to /v1/sys/auth returns all enabled auth methods.
curl -X POST -H "X-Vault-Token: s.abc123" https://vault.example.com:8200/v1/sys/auth
curl -H "X-Vault-Token: s.abc123" https://vault.example.com:8200/v1/auth
A user wants to log in using the userpass auth method with username 'jdoe' and password 'p@ssw0rd'. What is the correct API endpoint and request?
GET /v1/auth/userpass/login/jdoe with header "password: p@ssw0rd"
PUT /v1/auth/userpass/login/jdoe with JSON body {"password":"p@ssw0rd"}
POST /v1/auth/userpass/login/jdoe?password=p@ssw0rd
POST /v1/auth/userpass/login/jdoe with JSON body {"password":"p@ssw0rd"}
Correct; standard userpass login API call.
A security team needs to create a token with a custom TTL of 1 hour and associate it with a policy named 'read-only'. Which Vault CLI command accomplishes this?
vault token create -policy=read-only -ttl=1h
Correct; vault token create creates a token with the specified policy and TTL.
vault write auth/token/create policies=read-only ttl=1h
vault token create -policy=read-only -ttl 1h
vault create token -policy=read-only -ttl=1h
An operator wants to enable the AWS auth method at the default path. Which curl command is correct?
curl -X POST -H "X-Vault-Token: s.abc" -d '{"type":"aws"}' https://vault:8200/v1/sys/auth/aws/
curl -X PUT -H "X-Vault-Token: s.abc" -d '{"type":"aws"}' https://vault:8200/v1/sys/auth/aws
curl -X POST -H "X-Vault-Token: s.abc" -d '{"method":"aws"}' https://vault:8200/v1/sys/auth/aws
curl -X POST -H "X-Vault-Token: s.abc" -d '{"type":"aws"}' https://vault:8200/v1/sys/auth/aws
Correct; POST to /v1/sys/auth/aws with type 'aws' enables the AWS auth method.
Which TWO of the following are valid methods to authenticate to Vault using the CLI?
vault auth -method=token token=s.abc
vault login -method=userpass username=jdoe
Valid; userpass authentication via CLI.
vault authenticate -method=userpass username=jdoe
Setting environment variable VAULT_AUTH=s.abc
vault login -method=ldap username=jdoe
Valid; LDAP authentication via CLI.
Want more Utilize Vault CLI and API practice?
Practice this domainA DevOps team is deploying Vault in a Kubernetes cluster. They want to ensure that when a pod starts, it can obtain a short-lived Vault token without human intervention. Which Vault architecture component should they use?
Audit Device
Storage Backend (Consul)
Vault Agent sidecar
Automatically authenticates and injects tokens into pods.
Vault CLI with token helper
During a performance test, Vault becomes unresponsive for several seconds when the storage backend experiences high latency. Which architectural change would best improve Vault's resilience to storage latency?
Configure Performance Standby nodes
Offloads read operations and reduces load on the active node.
Add more storage backend nodes
Disable storage replication
Increase the number of Vault nodes without replication
A security engineer wants to ensure that all requests to Vault are logged for compliance. Which component must be configured?
Secrets Engine
Storage Backend
Audit Device
Logs all requests to Vault.
Auth Method
A company is using Vault's Integrated Storage (Raft) for high availability. During a network partition, two Vault nodes become isolated from the third. What happens to the isolated nodes?
The two isolated nodes continue to serve requests, the third stops
The two nodes have quorum; the isolated third does not.
All three nodes automatically rejoin after partition
All three nodes continue to serve requests
The two isolated nodes stop serving requests
An administrator notices that after a Vault unseal operation, the root token is no longer usable. The audit logs show no revocations. What is the most likely cause?
The root token's TTL expired during unseal
The root token was revoked during unseal
The root token's policy was removed
The root token was stored in memory only and lost on seal
Root tokens are often not persisted; they are lost when Vault seals.
Which Vault component is responsible for encrypting data before storing it in the storage backend?
Storage Backend
Audit Device
Barrier
Encrypts all data before storage.
Secrets Engine
Want more Explain Vault architecture practice?
Practice this domainA healthcare application needs to encrypt sensitive patient data before storing it in a legacy database that does not support encryption. The team wants to use Vault's encryption as a service. However, the application is running on a restricted network that cannot make outbound HTTP requests to Vault. Which solution should the team implement?
Set up Vault replication from a central Vault to a local Vault instance.
Deploy Vault Agent in sidecar mode with a configured encrypt stanza to handle encryption locally.
Vault Agent can process encryption locally via a Unix socket.
Use Vault's HTTP API from the application to encrypt data directly.
Enable the transit secrets engine and call Vault's encrypt endpoint.
A DevOps team uses Vault's transit engine to encrypt secrets in CI/CD pipelines. They report that encryption operations are failing with 'permission denied' errors. The team has a policy granting 'create' and 'update' capabilities on the transit key path. What is the most likely missing capability?
The 'read' capability is missing.
The 'encrypt' capability is missing.
Encrypt capability is required for encryption operations.
The 'delete' capability is missing.
The 'list' capability is missing.
A developer wants to encrypt data using Vault's transit engine with a key named 'payment-key'. The key already exists and is set to allow encryption. Which API path should the developer use to encrypt the data?
POST /v1/transit/decrypt/payment-key
POST /v1/transit/rewrap/payment-key
POST /v1/transit/keys/payment-key
POST /v1/transit/encrypt/payment-key
Correct path for encryption.
An organization wants to encrypt data at rest in a cloud storage bucket. They plan to use Vault's transit engine to generate a data key and then encrypt the data locally. Which transit endpoint should they use to get a data key?
POST /v1/transit/datakey/plaintext/my-key
Returns both plaintext and ciphertext data key.
POST /v1/transit/encrypt/my-key
POST /v1/transit/decrypt/my-key
POST /v1/transit/datakey/ciphertext/my-key
Which TWO capabilities are required in a Vault policy to allow a client to encrypt data using a key named 'app-key' in the transit engine? (Assume the key already exists.)
read on /transit/keys/app-key
Required to read key metadata.
encrypt on /transit/encrypt/app-key
Required to perform encryption.
update on /transit/keys/app-key
create on /transit/keys/app-key
list on /transit/keys/app-key
Which THREE statements are true about Vault's encryption as a service using the transit engine?
Encryption keys cannot be rotated once created.
Data encrypted with a key can be decrypted with a later version of the same key if the key is rotated.
Old versions are kept for decryption.
The transit engine supports convergent encryption.
Convergent encryption is supported.
Vault stores the plaintext data for audit purposes.
Clients can provide their own key material when creating a key.
Supported via 'exportable' keys.
Want more Explain encryption as a service practice?
Practice this domainThe VA-003 exam has 57 questions and must be completed in 60 minutes. The passing score is 700/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 8 domains: Compare authentication methods, Assess Vault tokens, Create Vault policies, Manage Vault leases, Compare and configure secrets engines, Utilize Vault CLI and API, Explain Vault architecture, Explain encryption as a service. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official HashiCorp VA-003 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.