Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Compare authentication methods practice sets

VA-003 Compare authentication methods • Complete Question Bank

VA-003 Compare authentication methods — All Questions With Answers

Complete VA-003 Compare authentication methods question bank — all 0 questions with answers and detailed explanations.

60
Questions
Free
No signup
Certifications/VA-003/Practice Test/Compare authentication methods/All Questions
Question 1easymultiple choice
Read the full Compare authentication methods explanation →

A DevOps team wants to authenticate to Vault using short-lived tokens without storing a secret in their CI/CD pipeline. Which authentication method best meets this requirement?

Question 2mediummultiple choice
Read the full Compare authentication methods explanation →

An organization uses Kubernetes pods to access Vault. They want to avoid hardcoding any secrets in the pod definition. Which authentication method should they use?

Question 3hardmultiple choice
Read the full Compare authentication methods explanation →

A security team notices that some Vault users are authenticating with the Userpass auth method, but they want to enforce password complexity and expiration. What is the best approach?

Question 4mediummultiple choice
Read the full Compare authentication methods explanation →

A company has multiple AWS accounts and wants to allow EC2 instances to authenticate to Vault without storing any secrets on the instances. Which authentication method should they use?

Question 5hardmultiple choice
Read the full Compare authentication methods explanation →

An administrator configures AppRole with a RoleID and SecretID. They want to ensure that each SecretID can be used only once. Which configuration should they use?

Question 6easymultiple choice
Read the full Compare authentication methods explanation →

Which authentication method allows a user to authenticate using a one-time password (OTP) generated by an authenticator app?

Question 7mediummultiple choice
Read the full Compare authentication methods explanation →

A Vault administrator wants to allow users to authenticate using their corporate Active Directory credentials. Which authentication method should they enable?

Question 8hardmultiple choice
Read the full Compare authentication methods explanation →

A company uses Vault for secrets management. They want to authenticate using GitHub tokens, but only for users who are members of a specific GitHub team. What must be configured?

Question 9mediummulti select
Read the full Compare authentication methods explanation →

Which TWO authentication methods allow a machine to authenticate without storing a static secret? (Choose two.)

Question 10hardmulti select
Read the full Compare authentication methods explanation →

Which THREE factors contribute to the security of the AppRole authentication method? (Choose three.)

Question 11easymulti select
Read the full Compare authentication methods explanation →

Which TWO authentication methods are designed for human users? (Choose two.)

Question 12hardmultiple choice
Read the full Compare authentication methods explanation →

A financial services company runs a microservices architecture on Kubernetes. Each microservice needs to authenticate to Vault to retrieve database credentials. The security team mandates that no secrets (tokens, passwords, certificates) be stored in container images or Kubernetes secrets. They also require that each microservice can only access its own secrets. The platform team is evaluating authentication methods. They consider using AppRole, but are concerned about distributing the SecretID. They also consider Kubernetes auth, but are unsure how to restrict access per microservice. They test with a Kubernetes deployment and find that any pod in the namespace can authenticate to Vault. What should they do to meet all requirements?

Question 13mediummultiple choice
Read the full NAT/PAT explanation →

A startup uses Vault to manage secrets for their web application. They currently have a single admin user who authenticates with a root token. They want to allow two developers to authenticate with their own credentials and restrict them to read-only access to a specific path 'secret/data/webapp'. They decide to use the Userpass auth method. The admin creates a user 'dev1' with password 'password123' and assigns a policy 'webapp-readonly' that grants read capability on 'secret/data/webapp'. However, when dev1 tries to log in, Vault returns a permission denied error. The admin checks the token and sees no policies attached. What is the most likely issue?

Question 14mediumdrag order
Read the full Compare authentication methods explanation →

Drag and drop the steps to enable AppRole authentication in Vault into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediumdrag order
Read the full Compare authentication methods explanation →

Drag and drop the steps to set up Vault's Kubernetes auth method into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 16mediummatching
Read the full Compare authentication methods explanation →

Match each Vault secret engine to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Key-value storage with versioning

Dynamic AWS IAM credentials

X.509 certificate generation

Encryption as a service

Dynamic database credentials

Question 17mediummatching
Read the full Compare authentication methods explanation →

Match each Vault replication type to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Disaster recovery, async replication

Scale read operations, active-standby

Replicate only mount-specific data

Replicate all data across clusters

Question 18easymultiple choice
Read the full Compare authentication methods explanation →

A DevOps team wants to automate authentication to Vault for Jenkins jobs running on AWS EC2 instances. Which authentication method is most appropriate and secure for this use case without storing long-lived credentials?

Question 19mediummultiple choice
Read the full Compare authentication methods explanation →

A security administrator notices that a Vault client using AppRole authentication is generating a very large number of tokens, causing performance issues. The administrator finds that the same AppRole role is used by multiple applications. What should the administrator do to reduce the number of tokens while maintaining security?

Question 20hardmultiple choice
Read the full Compare authentication methods explanation →

An organization uses Vault with LDAP authentication. Users report they are unable to log in, and the administrator sees errors like 'LDAP bind failed: invalid credentials' in the Vault logs. The LDAP server is reachable. What is the most likely cause?

Question 21easymultiple choice
Read the full Compare authentication methods explanation →

An administrator wants to allow users to authenticate to Vault using their existing corporate GitHub accounts. Which authentication method should be enabled?

Question 22mediummultiple choice
Read the full Compare authentication methods explanation →

A company has a Vault cluster and wants to allow applications running in Kubernetes pods to authenticate without storing static secrets. Which Vault authentication method is specifically designed for Kubernetes?

Question 23hardmultiple choice
Read the full Compare authentication methods explanation →

During an audit, it is discovered that a single AppRole role is used by hundreds of applications, and it is impossible to revoke access for a single compromised application without affecting others. What should be done to improve the security posture?

Question 24easymultiple choice
Read the full Compare authentication methods explanation →

Which authentication method in Vault uses a shared secret (Role ID) and a dynamic secret (Secret ID) to authenticate machines or applications?

Question 25mediummultiple choice
Read the full Compare authentication methods explanation →

A Vault administrator needs to allow users to authenticate using their existing corporate Active Directory credentials. The administrator has configured the LDAP authentication method but users cannot log in. The Vault logs show 'LDAP bind successful' but then 'user not found in group' error. What is the most likely issue?

Question 26hardmultiple choice
Read the full Compare authentication methods explanation →

An organization uses Vault with the JWT/OIDC authentication method. After configuring the provider, users can authenticate, but the scopes requested do not include the email claim needed for policy mapping. What should the administrator do?

Question 27mediummulti select
Read the full Compare authentication methods explanation →

Which TWO of the following are valid authentication methods in HashiCorp Vault? (Choose two.)

Question 28hardmulti select
Read the full Compare authentication methods explanation →

Which THREE of the following are true statements about the AppRole authentication method? (Choose three.)

Question 29mediummulti select
Read the full Compare authentication methods explanation →

Which TWO of the following are differences between using Vault's token auth method and other auth methods? (Choose two.)

Question 30easymultiple choice
Read the full Compare authentication methods explanation →

Refer to the exhibit. Which authentication method is currently enabled for production applications?

Exhibit

Refer to the exhibit.

```
$ vault auth list
Path      Type      Accessor                    Description                       Default TTL
----      ----      --------                    -----------                       -----------
token/    token     auth_token_xxx              token based credentials           system
audit/    userpass  auth_userpass_xxx           n/a                               24h
prod/     approle   auth_approle_xxx            n/a                               24h
```
Question 31easymultiple choice
Read the full Compare authentication methods explanation →

A development team wants to authenticate to Vault using a method that does not require storing secrets in source code and supports automatic rotation of credentials. Which authentication method best meets these requirements?

Question 32mediummultiple choice
Read the full Compare authentication methods explanation →

An organization uses AppRole with secret_id generation via the Vault API. Security policy requires that each secret_id can be used only once and must expire after 1 hour. Which configuration option should be set on the AppRole role to enforce this?

Question 33hardmultiple choice
Read the full Compare authentication methods explanation →

A company is migrating from on-premises to cloud and needs to authenticate applications using short-lived credentials. They have a mix of workloads: some on AWS EC2, some on Kubernetes, and some in their own datacenter. Which Vault authentication method provides a unified solution that works across all these environments without requiring a shared secret?

Question 34easymultiple choice
Read the full Compare authentication methods explanation →

A CI/CD pipeline runs in a Kubernetes cluster and needs to authenticate to Vault to fetch secrets. The pipeline should not have to manage any long-lived credentials. Which authentication method is most suitable?

Question 35mediummultiple choice
Read the full Compare authentication methods explanation →

An administrator wants to use Vault's authentication method that allows users to log in with their corporate credentials via a federated identity system. The credentials are stored in an external identity provider (IdP) and Vault should not store any passwords. Which authentication method should be configured?

Question 36hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise uses Azure Active Directory as its identity provider. They want to authenticate users to Vault using Azure AD tokens. However, they require that Vault validate the token's signature and claims without contacting Azure AD every time. Which authentication method should they use?

Question 37easymultiple choice
Read the full Compare authentication methods explanation →

A security team wants to allow applications to authenticate to Vault without storing any secrets in configuration files. The applications run on AWS EC2 instances with an IAM role attached. Which Vault authentication method leverages the EC2 instance metadata to obtain credentials?

Question 38mediummultiple choice
Read the full Compare authentication methods explanation →

An administrator needs to enable authentication method for human users that integrates with an existing LDAP directory. The company wants to ensure that Vault can perform group-based policy assignment based on LDAP group membership. Which configuration step is mandatory to map LDAP groups to Vault policies?

Question 39hardmultiple choice
Read the full Compare authentication methods explanation →

A company uses both userpass and AppRole authentication methods. They notice that tokens issued via AppRole are not properly revoked when the corresponding secret_id is deleted. Which concept explains this behavior?

Question 40mediummulti select
Read the full NAT/PAT explanation →

Which TWO authentication methods support multi-factor authentication (MFA) natively within Vault Enterprise?

Question 41hardmulti select
Read the full Compare authentication methods explanation →

Which TWO statements correctly describe differences between AppRole and Kubernetes authentication methods?

Question 42mediummulti select
Read the full Compare authentication methods explanation →

Which THREE authentication methods support generating tokens with TTL and renewable options?

Question 43mediummultiple choice
Read the full Compare authentication methods explanation →

A Vault administrator runs `vault auth list` and sees the output above. The administrator wants to disable the default token authentication method to improve security. Which command should they run?

Exhibit

Refer to the exhibit.

```
$ vault auth list
Path      Type      Accessor                  Description
userpass/ userpass auth_userpass_xxxx        Userpass auth
ldap/     ldap     auth_ldap_yyyy            LDAP auth
approle/  approle   auth_approle_zzzz        AppRole auth
token/    token    auth_token_wwww           Token auth
```
Question 44hardmultiple choice
Read the full Compare authentication methods explanation →

A user 'john' logs in via the userpass method. The output shows a token with a duration of 768 hours. However, the userpass mount is configured with `token_ttl=24h`. What is the most likely reason for the longer token duration?

Exhibit

Refer to the exhibit.

```
$ vault read auth/userpass/login/john
Key                 Value
---                 -----
token               s.abc123...
token_accessor      abc123...
token_duration      768h
token_renewable     true
identity_policies   ["default"]
policies            ["default"]
```
Question 45easymultiple choice
Read the full NAT/PAT explanation →

A Vault administrator is configuring AppRole authentication via the configuration file shown. After running `vault server -config=config.json`, they try to enable AppRole at a different path. What will happen?

Exhibit

Refer to the exhibit.

```
# config.json
{
  "backend": "[
    {
      "type": "approle",
      "path": "approle/",
      "config": {
        "default_lease_ttl": "1h",
        "max_lease_ttl": "24h"
      },
      "options": {}
    }
  ]
}
```
Question 46easymultiple choice
Read the full Compare authentication methods explanation →

A DevOps team wants to authenticate a CI/CD pipeline running on a Jenkins server outside Kubernetes. The pipeline needs to obtain short-lived tokens to read secrets. Which authentication method should be used?

Question 47mediummultiple choice
Read the full Compare authentication methods explanation →

An organization previously used userpass auth and is migrating to LDAP auth. After enabling LDAP and configuring the bind user, users can authenticate but their policies do not apply. What is the most likely cause?

Question 48hardmultiple choice
Read the full Compare authentication methods explanation →

A company uses AWS IAM auth for EC2 instances. An instance with an IAM role 'app-role' successfully logs in, but another instance with the same IAM role receives a permission denied error when trying to authenticate. The Vault server and AWS account are healthy. What is the most likely cause?

Question 49easymultiple choice
Read the full Compare authentication methods explanation →

A security engineer needs to choose an authentication method for a set of microservices running in a Kubernetes cluster that require short-lived secrets. The method should leverage the pod's identity. Which method is best?

Question 50mediummultiple choice
Read the full Compare authentication methods explanation →

A company uses OIDC auth for human users. After the OIDC provider rotates its signing keys, some users report that they cannot authenticate. The Vault logs show that the OIDC response validation fails. What is the most likely cause?

Question 51hardmultiple choice
Read the full Compare authentication methods explanation →

A company uses Kubernetes auth. A pod in namespace 'prod' with service account 'my-sa' can authenticate and read secrets. After upgrading the Kubernetes cluster, the same pod fails to authenticate with error 'JWT token issuer is not valid'. What is the most likely cause?

Question 52easymultiple choice
Read the full Compare authentication methods explanation →

An administrator wants to allow human users to authenticate using their corporate Active Directory credentials. Which authentication method should they enable?

Question 53mediummulti select
Read the full Compare authentication methods explanation →

Which TWO statements correctly describe differences between AppRole and Kubernetes authentication methods?

Question 54hardmulti select
Read the full Compare authentication methods explanation →

Which THREE are best practices when selecting authentication methods for different use cases?

Question 55easymulti select
Read the full Compare authentication methods explanation →

Which THREE authentication methods are built into Vault (no plugin required)?

Question 56hardmultiple choice
Read the full NAT/PAT explanation →

A finance company runs a microservices architecture on Kubernetes. Each microservice has its own service account and uses Kubernetes auth to authenticate to Vault and read secrets. Recently, a new microservice 'payment' was deployed in the 'prod' namespace with service account 'payment-sa'. The team created a Vault role with bound_service_account_names=['payment-sa'] and bound_service_account_namespaces=['prod']. The microservice can authenticate and obtains a token, but when it tries to read the secret at path 'secret/data/payments/db', it gets a permissions error. Other microservices in the same namespace with similar roles work fine. The Vault policy for the role includes read access to 'secret/data/payments/*'. What is the most likely issue and correct action?

Question 57mediummultiple choice
Read the full Compare authentication methods explanation →

A SaaS company uses AppRole authentication for their CI/CD pipeline. The pipeline runs on a Jenkins server. The pipeline generates a secret ID using the AppRole 'ci-role' and then logs in to Vault to read a database credential. Recently, the pipeline started failing intermittently with errors like 'secret ID is expired' or 'secret ID is used'. The pipeline generates a new secret ID every run. The team verified that the AppRole's secret_id_ttl is set to 0 (unlimited) and the secret_id_num_uses is set to 1. The pipeline runs multiple jobs concurrently, sometimes using the same AppRole. What is the most likely cause and solution?

Question 58easymultiple choice
Read the full NAT/PAT explanation →

A small company uses Vault with LDAP authentication for their employees. They configured the LDAP auth method pointing to their on-premises Active Directory. Several users report that they can log in to the Vault UI, but they cannot see any secrets in the paths they expect. The administrator verified that the users are in the correct AD groups. The Vault policies are defined and assigned to groups via the LDAP auth method's group mapping. However, the users still have no permissions. What is the most likely root cause and the correct fix?

Question 59mediummultiple choice
Read the full Compare authentication methods explanation →

A large e-commerce company uses Vault to manage secrets for their AWS EC2 instances. They use AWS IAM auth. The Vault role is configured with bound_iam_role_arn to match the IAM role 'ec2-app-role'. Most instances work fine. However, a new instance launched with the same IAM role fails to authenticate. The instance can reach Vault (network is fine) and the AWS credentials are valid. The Vault server logs show: 'error validating login: unable to get instance identity document'. The new instance is in a different AWS region (us-west-2) while most others are in us-east-1. Vault is deployed in us-east-1. What is the most likely cause and solution?

Question 60mediummultiple choice
Read the full Compare authentication methods explanation →

A company runs its containerized workloads on multiple Kubernetes clusters and also maintains a number of legacy virtual machines running critical applications. The Vault cluster is deployed outside Kubernetes and is used to manage secrets for both environments. The DevOps team has configured the Kubernetes auth method for pods in the Kubernetes clusters, but they are experiencing authentication failures for pods in one specific namespace. Meanwhile, legacy VMs cannot authenticate at all because they are not part of any Kubernetes cluster. The Vault administrator needs to enable authentication for all workloads while minimizing changes to existing applications. The administrator has received the following requirements: containerized pods should authenticate without manual token distribution, legacy VMs should use a method that supports machine-oriented authentication with short-lived tokens, and all authentication should be auditable. Which course of action should the administrator take?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

VA-003 Practice Test 1 — 10 Questions→VA-003 Practice Test 2 — 10 Questions→VA-003 Practice Test 3 — 10 Questions→VA-003 Practice Test 4 — 10 Questions→VA-003 Practice Test 5 — 10 Questions→VA-003 Practice Exam 1 — 20 Questions→VA-003 Practice Exam 2 — 20 Questions→VA-003 Practice Exam 3 — 20 Questions→VA-003 Practice Exam 4 — 20 Questions→Free VA-003 Practice Test 1 — 30 Questions→Free VA-003 Practice Test 2 — 30 Questions→Free VA-003 Practice Test 3 — 30 Questions→VA-003 Practice Questions 1 — 50 Questions→VA-003 Practice Questions 2 — 50 Questions→VA-003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Compare authentication methods setsAll Compare authentication methods questionsVA-003 Practice Hub