Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Manage Vault leases practice sets

VA-003 Manage Vault leases • Complete Question Bank

VA-003 Manage Vault leases — All Questions With Answers

Complete VA-003 Manage Vault leases question bank — all 0 questions with answers and detailed explanations.

47
Questions
Free
No signup
Certifications/VA-003/Practice Test/Manage Vault leases/All Questions
Question 1mediummultiple choice
Read the full Manage Vault leases explanation →

A DevOps team is using Vault's database secrets engine to generate dynamic credentials for a PostgreSQL database. They notice that the lease duration is set to 24 hours, but security policy requires that credentials expire after 1 hour. What should the team do to enforce the 1-hour expiration without changing the default lease TTL for all secrets?

Question 2hardmultiple choice
Read the full Manage Vault leases explanation →

An organization uses Vault to issue certificates via the PKI secrets engine. They have set the default lease TTL on the PKI mount to 72h, and the role's ttl to 24h. A user requests a certificate with a requested TTL of 48h. What will be the actual TTL of the issued certificate?

Question 3easymulti select
Read the full Manage Vault leases explanation →

Which TWO of the following actions can reduce the number of active leases in Vault? (Select two.)

Question 4hardmultiple choice
Read the full Manage Vault leases explanation →

A developer runs the commands shown in the exhibit. After renewing the lease, the lease_duration remains 1 hour. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
$ vault read database/creds/my-role
Key                Value
---                -----
lease_id           database/creds/my-role/abc123...
lease_duration     1h
lease_renewable    true
password           ...
username           v-token-my-role-...

$ vault lease renew database/creds/my-role/abc123...
Key                Value
---                -----
lease_id           database/creds/my-role/abc123...
lease_duration     1h
lease_renewable    true
```
Question 5mediummultiple choice
Read the full Manage Vault leases explanation →

A company runs a microservices application on Kubernetes. Each service authenticates to Vault using the Kubernetes auth method and obtains a short-lived token with a TTL of 15 minutes. The services use these tokens to read secrets from the KV v2 secrets engine. Recently, the operations team noticed that Vault's lease count has been steadily increasing, and some services are experiencing 'lease not found' errors when trying to renew their tokens. Investigation reveals that the services are not renewing tokens before they expire because the token TTL is too short to complete some long-running tasks. The team wants to fix the issue without compromising security. They are considering the following actions:

A. Increase the default lease TTL for the KV v2 mount to 1 hour. B. Increase the token TTL for the Kubernetes auth role to 1 hour. C. Implement a renewal loop in each service to renew tokens every 10 minutes. D. Use periodic tokens with a period of 1 hour for all services.

Question 6hardmultiple choice
Read the full Manage Vault leases explanation →

A DevOps team uses Vault dynamic secrets for database credentials with a lease of 1 hour. They notice that applications are making excessive calls to renew leases, causing performance issues. The team wants to reduce the renewal frequency while maintaining security. What is the best approach?

Question 7mediummulti select
Read the full Manage Vault leases explanation →

A Vault administrator needs to manage leases for dynamic secrets. Which TWO of the following are valid operations related to lease management?

Question 8easymultiple choice
Read the full Manage Vault leases explanation →

A developer is troubleshooting an application that uses Vault's PostgreSQL secrets engine. The application successfully obtains a database credential from Vault, but after 30 minutes, the application starts receiving authentication errors from the database. The developer checks the Vault audit logs and sees that the lease for the credential was revoked. The lease was originally created with a TTL of 1 hour. The application is not renewing the lease. The developer wants to fix the issue so that the credential works for the full 1 hour. What should the developer do?

Question 9mediummultiple choice
Read the full Manage Vault leases explanation →

A company uses Vault to manage database credentials for its applications. The applications request a one-hour TTL for database secrets, but the database engine's default lease TTL is set to 24 hours. The Vault administrator wants to ensure that leases are revoked promptly after the applications finish using them, to minimize the window of exposure. Which approach best achieves this goal?

Question 10hardmulti select
Read the full Manage Vault leases explanation →

An organization uses Vault's AWS secrets engine to generate temporary IAM credentials. The Vault administrator has set the default lease TTL on the AWS mount to 15 minutes. A developer creates a role with role TTL of 30 minutes and explicit max TTL of 1 hour. Which TWO statements are true regarding the lease behavior for credentials generated under this role?

Question 11mediumdrag order
Read the full Manage Vault leases explanation →

Drag and drop the steps to configure Vault's audit logging to a file into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 12mediummatching
Read the full Manage Vault leases explanation →

Match each Vault term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypted state requiring unseal

Decrypt master key to access data

Encryption layer protecting storage

Key splitting for unseal

Superuser token with full access

Question 13hardmultiple choice
Read the full Manage Vault leases explanation →

An administrator notices that after revoking a specific lease, the underlying database credential is still accessible. What is the most likely cause?

Question 14easymultiple choice
Read the full Manage Vault leases explanation →

What command is used to view the remaining time on a lease?

Question 15hardmultiple choice
Read the full Manage Vault leases explanation →

A Vault cluster is sealed. An operator attempts to renew a lease but gets an error. What is the most likely error?

Question 16mediummultiple choice
Read the full Manage Vault leases explanation →

A developer wants to ensure that their application automatically renews its secret leases before expiration. Which approach is recommended?

Question 17easymultiple choice
Read the full Manage Vault leases explanation →

Which of the following best describes a Vault lease?

Question 18mediummultiple choice
Read the full Manage Vault leases explanation →

An operator runs vault lease list and sees many expired leases. Why are expired leases still listed?

Question 19easymultiple choice
Read the full Manage Vault leases explanation →

What happens when a lease reaches its TTL?

Question 20mediummultiple choice
Read the full Manage Vault leases explanation →

A security policy requires that all leases must be revoked within 1 hour of creation. Which setting should be configured on the secret engine mount?

Question 21hardmultiple choice
Read the full Manage Vault leases explanation →

After a Vault migration, some leases are no longer valid and cause errors. What is the best way to force a cleanup of all leases under a specific mount without affecting other mounts?

Question 22mediummulti select
Read the full Manage Vault leases explanation →

Which two commands can be used to manually revoke leases? (Choose two.)

Question 23hardmulti select
Read the full Manage Vault leases explanation →

Which three statements about lease renewal are correct? (Choose three.)

Question 24easymulti select
Read the full Manage Vault leases explanation →

Which two of the following are valid lease operations? (Choose two.)

Question 25hardmultiple choice
Read the full Manage Vault leases explanation →

Refer to the exhibit. An operator wants the credential to be valid for exactly 2 hours. What should they do?

Exhibit

Key                Value
---                -----
lease_id           database/creds/readonly/xyz789
lease_duration     30m
lease_renewable    true
password           ...
username           ...
Question 26mediummultiple choice
Read the full Manage Vault leases explanation →

Refer to the exhibit. A user with this policy can successfully read credentials but cannot renew the lease. What is the missing capability?

Exhibit

path "database/creds/readonly" {
  capabilities = ["read"]
}
Question 27easymultiple choice
Read the full Manage Vault leases explanation →

Refer to the exhibit. What is the most likely cause of this error?

Exhibit

Error renewing lease: lease not found
Question 28mediummultiple choice
Read the full Manage Vault leases explanation →

A DevOps team uses Vault to generate temporary database credentials. They notice that some applications are failing because their database credentials expire unexpectedly before the expected TTL. The Vault admin configured the database role with a default TTL of 1h and max TTL of 24h. What is the most likely cause?

Question 29easymultiple choice
Read the full Manage Vault leases explanation →

An admin wants to revoke all leases associated with a specific AWS IAM user created by Vault. Which command should they use?

Question 30hardmultiple choice
Read the full Manage Vault leases explanation →

A security team wants to ensure that database credentials generated by Vault are never renewed and have a fixed lifespan of 30 minutes. They configure the role with default_ttl=30m and max_ttl=30m, and set renewable=false. However, they find that some users are able to renew the leases anyway. What could be the reason?

Question 31mediummultiple choice
Read the full Manage Vault leases explanation →

A Vault administrator wants to configure a role for dynamic secrets with a default TTL of 1 hour and a max TTL of 4 hours. They also want to allow renewal but only up to the max TTL. Which configuration achieves this?

Question 32easymultiple choice
Read the full Manage Vault leases explanation →

An admin needs to check the remaining lifespan of a lease. Which command should they use?

Question 33hardmultiple choice
Read the full Manage Vault leases explanation →

An organization uses Vault with a database secrets engine. They have a role that issues credentials with a lease TTL of 30 minutes. After some time, they notice that the database is full of stale users. What is the most likely cause?

Question 34mediummultiple choice
Read the full Manage Vault leases explanation →

A Vault operator accidentally revoked a token that was used to lease many database credentials. What happens to the leases associated with that token?

Question 35easymultiple choice
Read the full Manage Vault leases explanation →

Which of the following commands would force a lease to expire immediately?

Question 36hardmultiple choice
Read the full Manage Vault leases explanation →

A company uses Vault to manage SSH OTP credentials. They set the role with default_ttl=5m and max_ttl=30m. Users report that they receive an error when trying to renew the OTP after 10 minutes. What is the most likely reason?

Question 37mediummulti select
Read the full NAT/PAT explanation →

An admin wants to view all active leases for a specific secrets engine path. Which two approaches are valid? (Choose two.)

Question 38mediummulti select
Read the full Manage Vault leases explanation →

Which of the following factors determine the actual TTL of a lease issued by a secrets engine? (Choose three.)

Question 39mediummulti select
Read the full Manage Vault leases explanation →

An admin needs to revoke all leases associated with a particular policy violation. Which two methods can be used? (Choose two.)

Question 40easymultiple choice
Read the full Manage Vault leases explanation →

Based on the exhibit, what is the maximum total lifespan of this lease?

Exhibit

Refer to the exhibit.

```
$ vault lease lookup database/creds/readonly/abc123
Key                 Value
---                 -----
id                  database/creds/readonly/abc123
issue_time          2023-10-05T14:30:00Z
renewable           true
ttl                 30m
max_ttl             1h
```
Question 41easymultiple choice
Read the full Manage Vault leases explanation →

A developer requests a credential from this role. Which statement about the resulting lease is true?

Exhibit

Refer to the exhibit.

```
vault write database/roles/mydb \
    db_name=mysql \
    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
    default_ttl=1h \
    max_ttl=24h \
    renewable=false
```
Question 42hardmultiple choice
Read the full Manage Vault leases explanation →

A large enterprise runs Vault in a production environment with multiple secrets engines, including databases, AWS, and PKI. Recently, the operations team noticed that the number of active leases has grown significantly, causing performance degradation in Vault. The team suspects that many leases are orphaned or expired but not cleaned up. They run the vault lease tidy command regularly, but the issue persists. The vault audit logs show no errors during revocation. However, the team observes that the database credentials are being revoked correctly, but the PKI certificates are not being revoked when their leases expire. Additionally, some AWS IAM user leases seem to persist beyond their max TTL. What is the most likely cause of this issue?

Question 43easymultiple choice
Read the full Manage Vault leases explanation →

A development team is using Vault to dynamically generate PostgreSQL credentials for their application. They configured a database role with a max_lease_ttl of 24 hours. However, credentials are becoming invalid after only 1 hour, causing application errors. The team has verified that the credentials are not being explicitly revoked. Which action should the Vault administrator take to resolve this issue?

Question 44mediummultiple choice
Read the full NAT/PAT explanation →

An application uses Vault's KV v2 secrets engine to read a static secret (e.g., API key) at path 'secret/data/myapp/config'. The application initially reads the secret and uses the returned lease_id to successfully renew the lease every hour. After a maintenance window, the application starts failing to renew the lease, receiving an error that the lease is not renewable or does not exist. The secret data is still present and accessible via a new read. What is the most likely cause of this failure?

Question 45mediummulti select
Read the full Manage Vault leases explanation →

A Vault operator wants to manage lease durations for secrets issued by a PKI secrets engine. Which two actions can they take to affect the lease duration of certificates?

Question 46hardmultiple choice
Read the full Manage Vault leases explanation →

A Vault operator runs the command shown in the exhibit and wants to renew the lease before it expires. The operator has a valid token. What must be true for the renewal to succeed?

Exhibit

Refer to the exhibit.

```
$ vault lease lookup database/creds/my-role/abc123
Key                  Value
---                  -----
id                   database/creds/my-role/abc123
issue_time           2024-03-15T10:00:00Z
renewable            true
ttl                  1h

expire_time          2024-03-15T11:00:00Z
```
Question 47easymultiple choice
Read the full Manage Vault leases explanation →

A company runs a microservices architecture where each service authenticates to Vault using AppRole and is assigned a role with a periodic token. The operations team notices that some services experience authentication failures after exactly 24 hours of uptime, even though their tokens were initially issued with a TTL of 24 hours and 'renewable' set to true. The services are configured to renew their tokens automatically before expiry. Upon investigation, the Vault logs show the error: 'failed to renew token: token has exceeded its max TTL'. The Vault server is configured with a default 'max_lease_ttl' of 24 hours and a 'default_lease_ttl' of 1 hour at the system level. The AppRole role has no explicit TTL or max TTL set. What is the most likely cause of the failure?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

VA-003 Practice Test 1 — 10 Questions→VA-003 Practice Test 2 — 10 Questions→VA-003 Practice Test 3 — 10 Questions→VA-003 Practice Test 4 — 10 Questions→VA-003 Practice Test 5 — 10 Questions→VA-003 Practice Exam 1 — 20 Questions→VA-003 Practice Exam 2 — 20 Questions→VA-003 Practice Exam 3 — 20 Questions→VA-003 Practice Exam 4 — 20 Questions→Free VA-003 Practice Test 1 — 30 Questions→Free VA-003 Practice Test 2 — 30 Questions→Free VA-003 Practice Test 3 — 30 Questions→VA-003 Practice Questions 1 — 50 Questions→VA-003 Practice Questions 2 — 50 Questions→VA-003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Manage Vault leases setsAll Manage Vault leases questionsVA-003 Practice Hub