Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Utilize Vault CLI and API practice sets

VA-003 Utilize Vault CLI and API • Complete Question Bank

VA-003 Utilize Vault CLI and API — All Questions With Answers

Complete VA-003 Utilize Vault CLI and API question bank — all 0 questions with answers and detailed explanations.

62
Questions
Free
No signup
Certifications/VA-003/Practice Test/Utilize Vault CLI and API/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer needs to write a new secret to the KV v2 engine at path 'secret/data/team' with key 'api_key' and value 'abc123'. Which Vault CLI command achieves this?

Question 2hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

An admin wants to list all enabled authentication methods using the Vault API. Which curl command is correct?

Question 3easymultiple choice
Read the full Utilize Vault CLI and API explanation →

A user wants to log in using the userpass auth method with username 'jdoe' and password 'p@ssw0rd'. What is the correct API endpoint and request?

Question 4hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

A security team needs to create a token with a custom TTL of 1 hour and associate it with a policy named 'read-only'. Which Vault CLI command accomplishes this?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

An operator wants to enable the AWS auth method at the default path. Which curl command is correct?

Question 6mediummulti select
Read the full Utilize Vault CLI and API explanation →

Which TWO of the following are valid methods to authenticate to Vault using the CLI?

Question 7hardmulti select
Read the full Utilize Vault CLI and API explanation →

Which THREE of the following are correct about using the Vault API to read a secret from KV v2 engine?

Question 8mediummultiple choice
Read the full Utilize Vault CLI and API explanation →

Refer to the exhibit. A developer ran the command and received the JSON output. Which command would retrieve only the value of 'api_key' in plain text?

Exhibit

$ vault read -format=json secret/data/team
{
  "data": {
    "data": {
      "api_key": "abc123"
    },
    "metadata": {
      "created_time": "2023-01-01T00:00:00Z",
      "deletion_time": "",
      "destroyed": false,
      "version": 1
    }
  }
}
Question 9easymultiple choice
Read the full Utilize Vault CLI and API explanation →

Refer to the exhibit. A user has a token that has the 'default' policy attached. What actions can the user perform on 'secret/data/team'?

Exhibit

$ vault policy list
admin-policy
default
readonly
$ vault token capabilities secret/data/team
read, list
$ vault token capabilities -policy=readonly secret/data/team
read, list
$ vault token capabilities -policy=admin-policy secret/data/team
create, read, update, delete, list
Question 10hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

You are a Vault administrator for a large organization. Your team uses a centralized Vault cluster with multiple auth methods enabled, including userpass, LDAP, and approle. Recently, a developer reported that they are unable to authenticate using their userpass credentials, receiving the error 'permission denied'. The developer confirms the username and password are correct. Other developers using userpass can authenticate successfully. The Vault audit logs show that the authentication request for this developer is reaching Vault but failing with 'invalid password'. You have verified that the password is correct by resetting it via the Vault CLI. The developer's userpass entry exists and is not disabled. Which of the following is the most likely cause and correct course of action?

Question 11mediummulti select
Read the full Utilize Vault CLI and API explanation →

Which TWO of the following Vault CLI commands can be used to write data to Vault?

Question 12easymultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer is tasked with automating the rotation of a static secret stored in Vault's KV secrets engine (version 2). The secret is currently stored at path 'secret/data/app/config' with keys 'username' and 'password'. The engineer wants to update the 'password' key using the Vault CLI from a CI/CD pipeline. The pipeline uses a token with a policy that grants 'create', 'update', and 'read' capabilities on 'secret/data/app/*'. Which CLI command should the engineer use to update only the 'password' key, leaving other keys unchanged?

Question 13mediummultiple choice
Read the full Utilize Vault CLI and API explanation →

A DevOps engineer is troubleshooting a Vault CLI command that is failing with the error 'Error writing data: Error making API request'. The engineer has verified that the Vault token is valid and unexpired. Which of the following is the most likely cause of this error?

Question 14easymultiple choice
Read the full Utilize Vault CLI and API explanation →

A company uses Vault to manage secrets for multiple applications. A new security policy requires that all human users authenticate using LDAP and that all machine-to-machine authentication uses AppRole. An administrator has configured an LDAP auth method at 'ldap/' and an AppRole at 'approle/'. The administrator creates a role 'web-app' with a secret ID TTL of 30 days and a token TTL of 1 hour. After deploying the web application, the application successfully logs in using the AppRole role ID and secret ID, retrieves a token, and reads secrets. However, after 1 hour, the application begins receiving 'permission denied' errors when trying to read secrets. The application logs show that it is using the same token obtained during initial login. Which action should the administrator take to resolve this issue?

Question 15mediumdrag order
Read the full Utilize Vault CLI and API explanation →

Drag and drop the steps to set up Vault's Transit secrets engine for encryption/decryption into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 16mediummatching
Read the full Utilize Vault CLI and API explanation →

Match each Vault policy capability to its permission.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Allow creating data at a path

Allow reading data at a path

Allow modifying existing data

Allow deleting data

Allow listing keys

Question 17easymultiple choice
Read the full Utilize Vault CLI and API explanation →

A developer wants to authenticate to Vault using LDAP credentials. Which CLI command should they use?

Question 18mediummultiple choice
Read the full Utilize Vault CLI and API explanation →

An operator needs to create a token role named 'web-app' with a default TTL of 24 hours. Which API request is correct?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A user receives 'permission denied' when running 'vault write secret/data/myapp value=123'. The user's token has a policy that includes 'path "secret/data/*" { capabilities = ["read", "list"] }'. What is the most likely cause?

Question 20easymultiple choice
Read the full Utilize Vault CLI and API explanation →

A team wants to retrieve a dynamic database credential from Vault. Which CLI command should be used?

Question 21mediummultiple choice
Read the full NAT/PAT explanation →

An administrator wants to mount the AWS secrets engine at 'aws' path using the API. Which request is correct?

Question 22hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

A security team must automate periodic credential rotation for a database. The rotation script should run on a server that cannot have the Vault binary installed but can make HTTP requests. Which approach should they use?

Question 23easymultiple choice
Read the full Utilize Vault CLI and API explanation →

A user runs 'vault write secret/mydata value=hello' and gets a warning about missing metadata. They intended to store a simple key-value pair. What is the most likely issue?

Question 24mediummultiple choice
Read the full Utilize Vault CLI and API explanation →

An operator needs to create a periodic token with a period of 36 hours. Which command should they use?

Question 25hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

A user tries to renew their own token using 'vault token renew -self' and gets 'Error renewing token: Error making API request'. The token is still valid. What could be the cause?

Question 26mediummulti select
Read the full Utilize Vault CLI and API explanation →

A user wants to view information about their current token, including its policies and TTL. Which TWO CLI commands can be used?

Question 27easymulti select
Read the full NAT/PAT explanation →

A policy must allow a user to write a new version of an existing secret in a KV v2 secrets engine. Which TWO capabilities are required on the 'data/' path?

Question 28hardmulti select
Read the full Utilize Vault CLI and API explanation →

An operator needs to perform token lifecycle operations. Which THREE API endpoints are valid for token-related actions?

Question 29mediummultiple choice
Read the full Utilize Vault CLI and API explanation →

Refer to the exhibit. A user with this policy attempts to read 'secret/data/team/admin'. What will happen?

Exhibit

path "secret/data/team/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/data/team/admin" {
  capabilities = ["deny"]
}
Question 30hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

Refer to the exhibit. A user runs 'vault token renew -self' on this token. What is the expected behavior?

Exhibit

Key                 Value
---                 -----
accessor            xyz123
creation_time       1625000000
creation_ttl        72h
display_name        root
entity_id           abc456
expire_time         2021-07-02T12:00:00Z
explicit_max_ttl    0s
id                  s.abc123def456
issue_time          2021-06-29T12:00:00Z
meta                map[]
num_uses            0
orphan              true
path                auth/token/root
policies            [root]
renewable           true
type                service
Question 31easymultiple choice
Read the full Utilize Vault CLI and API explanation →

Refer to the exhibit. A user wants to write a secret 'db_password' with value 's3cret' to this secrets engine. Which CLI command should be used?

Exhibit

$ vault secrets enable -path=shared -version=2 kv
Question 32easymultiple choice
Read the full NAT/PAT explanation →

An administrator wants to retrieve the value of a secret stored at the path 'kv/secret/mykey' using the Vault CLI. Which command should they use?

Question 33mediummultiple choice
Read the full NAT/PAT explanation →

A user attempts to read a secret at path 'secret/data/app' and receives a 403 Forbidden error. What is the most likely cause?

Question 34hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

An administrator needs to securely provide a one-time use token to a remote service using Vault response wrapping. Which CLI flag or command should they use?

Question 35mediummultiple choice
Read the full NAT/PAT explanation →

An engineer wants to list all secrets under the path 'myapp/' in a KV v2 secrets engine mounted at 'secret/'. Which API call should they make?

Question 36easymultiple choice
Read the full Utilize Vault CLI and API explanation →

Which Vault CLI command is used to authenticate a user with a username and password to the userpass auth method?

Question 37hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

A Vault agent is configured with auto-auth and is used to renew a long-running application's token. Which token type is best suited to minimize interruptions and avoid token renewal failures?

Question 38mediummultiple choice
Read the full Utilize Vault CLI and API explanation →

When running Vault in development mode, which storage backend is used by default?

Question 39easymultiple choice
Read the full Utilize Vault CLI and API explanation →

An administrator has created a policy file named 'app-policy.hcl'. Which command should they use to upload this policy to Vault?

Question 40hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

A DevOps engineer needs to create a token with a specific policy attached using the Vault API. Which API endpoint and request should they use?

Question 41easymulti select
Read the full Utilize Vault CLI and API explanation →

Which TWO statements are true when troubleshooting a failed Vault CLI command?

Question 42mediummulti select
Read the full Utilize Vault CLI and API explanation →

Which THREE are benefits of using Vault response wrapping?

Question 43hardmulti select
Read the full Utilize Vault CLI and API explanation →

Which THREE API endpoints are valid for managing policies in Vault?

Question 44easymultiple choice
Read the full Utilize Vault CLI and API explanation →

The CLI command returns a 403 error. What is the most likely cause?

Exhibit

Refer to the exhibit.
$ vault read -field=value database/creds/readonly
Error reading database/creds/readonly: Error making API request.

URL: GET http://127.0.0.1:8200/v1/database/creds/readonly
Code: 403. Errors:

* permission denied
Question 45mediummultiple choice
Read the full Utilize Vault CLI and API explanation →

This Vault agent configuration section is incomplete. What is missing for the AWS auto-auth method to function correctly?

Exhibit

Refer to the exhibit.
auto_auth {
    method {
        type = "aws"
        config = {
            role = "my-role"
        }
    }
}
Question 46hardmultiple choice
Read the full NAT/PAT explanation →

A user with this policy wants to delete secrets under the 'team/' path. Which additional capability must be added?

Exhibit

Refer to the exhibit.
path "secret/data/team/*" {
  capabilities = ["create", "update", "read"]
}
Question 47mediummultiple choice
Read the full Utilize Vault CLI and API explanation →

A DevOps engineer runs `vault token lookup s.abc123` and receives a permission denied error. The engineer has a valid token with the default policy attached. What is the most likely cause?

Question 48easymultiple choice
Read the full Utilize Vault CLI and API explanation →

An administrator wants to write a secret 'myapp' with value 'password=pass123' to the KV v2 secret engine mounted at 'secret/'. Which command should they use?

Question 49hardmultiple choice
Read the full NAT/PAT explanation →

A security team needs to automate the rotation of a database password stored in Vault. The password is currently written as a static secret at 'database/creds/prod'. They want to use the Vault API to read and rewrite the secret, ensuring that the previous version is preserved for audit. The script must handle the case where the secret path may not exist. Which approach should they use?

Question 50mediummultiple choice
Read the full Utilize Vault CLI and API explanation →

An operator runs `vault lease renew -increment=3600 database/creds/readonly/abc123` and gets an error: 'Error renewing lease: Error making API request. URL: PUT https://vault.example.com/v1/sys/leases/renew. Code: 400. Errors: * invalid lease ID'. What is the most likely cause?

Question 51easymultiple choice
Read the full Utilize Vault CLI and API explanation →

An application needs to read a secret using the Vault API after authenticating with an AppRole RoleID and SecretID. The application has already obtained a Vault token. Which API endpoint should be called to read a secret at 'secret/data/myapp' with the token?

Question 52hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

A Vault cluster has a performance secondary cluster replicating from a primary. An administrator needs to generate a one-time password (OTP) for an SSH target. They are on the secondary cluster. They run `vault write ssh/otp/otp_role ip=10.0.0.1 username=admin`. What is the expected behavior?

Question 53easymulti select
Read the full Utilize Vault CLI and API explanation →

Which TWO of the following are valid methods to authenticate to Vault using the CLI without using a token? (Choose two.)

Question 54mediummulti select
Read the full Utilize Vault CLI and API explanation →

Which TWO of the following are valid uses of the Vault API for managing leases? (Choose two.)

Question 55hardmulti select
Read the full Utilize Vault CLI and API explanation →

Which THREE of the following are true about using the Vault API with response wrapping? (Choose three.)

Question 56hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a monolithic application that reads database credentials from Vault KV v2 secrets engine at path 'app/db'. The application authenticates using an AppRole with a periodic token that renews automatically. Recently, the application started failing with permission denied errors when reading the secret. The administrator checks the AppRole's secret-id and token but they are valid. The administrator then runs `vault token capabilities $(cat /tmp/token) app/db/data` and gets an empty list. The administrator knows that the token has the 'app-policy' policy attached. They also run `vault read sys/policy/app-policy` and see the policy rules. The policy allows explicit 'read' on 'app/db/data'. What could be the issue?

Question 57mediummultiple choice
Read the full NAT/PAT explanation →

A team is migrating from a monolithic application to microservices. Each microservice needs to authenticate to Vault using its own AppRole. The security team wants to enforce that each AppRole can only read secrets from its own dedicated path (e.g., service-a can only read from 'services/service-a/*', service-b from 'services/service-b/*'). They have created the AppRoles and policies. However, during testing, they notice that service-a can read secrets from service-b's path. The administrator checks the policy for service-a and sees it has a 'capabilities' list on 'services/service-a/*' and also 'services/service-b/*' by mistake. They correct the policy, but the issue persists. What is the most likely reason that service-a still has access?

Question 58easymultiple choice
Read the full Utilize Vault CLI and API explanation →

A new administrator is tasked with setting up a Vault development environment. They installed Vault and started the server in dev mode. They want to use the CLI to write and read a secret without authentication. They run `vault kv put secret/hello value=world` but get an error: 'Error writing data to secret/data/hello: Error making API request. URL: PUT https://127.0.0.1:8200/v1/secret/data/hello Code: 403. Errors: * permission denied'. What should they do first to resolve this?

Question 59mediummultiple choice
Read the full Utilize Vault CLI and API explanation →

An organization uses Vault's AWS secret engine to dynamically generate IAM credentials. The application uses the API to request credentials by calling 'POST /v1/aws/creds/my-role'. Recently, the application started receiving '400 Bad Request' with error 'invalid role ARN'. The role 'my-role' is defined in Vault and has been working for months. The administrator checks the role configuration and confirms the ARN is correct and that the associated IAM policy exists in AWS. The Vault server logs show no connectivity issues with AWS. The application code has not changed. What is the most likely cause?

Question 60mediummulti select
Read the full Utilize Vault CLI and API explanation →

A DevOps engineer is troubleshooting a script that uses the Vault CLI to authenticate and read a secret. The script works when run manually from a terminal, but fails when executed by a CI/CD pipeline. The engineer has verified that the same environment variables (VAULT_ADDR, VAULT_TOKEN) are set in both environments. Which two of the following are likely causes of the failure? (Choose two.)

Question 61hardmultiple choice
Read the full Utilize Vault CLI and API explanation →

Refer to the exhibit. A user authenticates via the userpass method. The token helper stores the token. The user's default policy grants read access to secret/data/engineering. The user attempts to read secret/data/engineering using `vault kv get secret/engineering`. The command fails with "permission denied". What is the most likely reason?

Exhibit

$ vault login -method=userpass username=jdoe
Password (will be hidden): 
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  hvs.abc123...
token_accessor         abc123...
token_duration         768h
token_renewable        true
token_policies         [default]
identity_policies      []
policies               [default]
token_meta_username    jdoe
Question 62easymultiple choice
Read the full NAT/PAT explanation →

A junior administrator is writing a shell script that will be used by other team members to retrieve static secrets from Vault. The secrets are stored in the KV v2 secrets engine mounted at `secret/`. One particular secret, `credentials`, is located under the path `secret/data/credentials`. The administrator has already authenticated using the Vault CLI with a token that has read access specifically to that path. The environment variables `VAULT_ADDR` and `VAULT_TOKEN` are set correctly to point to the Vault server at `https://vault.example.com:8200` and the valid token. The script needs to run the correct command to retrieve the secret and output its key-value pairs for use by an application. Which command should the administrator include in the script?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

VA-003 Practice Test 1 — 10 Questions→VA-003 Practice Test 2 — 10 Questions→VA-003 Practice Test 3 — 10 Questions→VA-003 Practice Test 4 — 10 Questions→VA-003 Practice Test 5 — 10 Questions→VA-003 Practice Exam 1 — 20 Questions→VA-003 Practice Exam 2 — 20 Questions→VA-003 Practice Exam 3 — 20 Questions→VA-003 Practice Exam 4 — 20 Questions→Free VA-003 Practice Test 1 — 30 Questions→Free VA-003 Practice Test 2 — 30 Questions→Free VA-003 Practice Test 3 — 30 Questions→VA-003 Practice Questions 1 — 50 Questions→VA-003 Practice Questions 2 — 50 Questions→VA-003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Utilize Vault CLI and API setsAll Utilize Vault CLI and API questionsVA-003 Practice Hub