Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Create Vault policies practice sets

VA-003 Create Vault policies • Complete Question Bank

VA-003 Create Vault policies — All Questions With Answers

Complete VA-003 Create Vault policies question bank — all 0 questions with answers and detailed explanations.

33
Questions
Free
No signup
Certifications/VA-003/Practice Test/Create Vault policies/All Questions
Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A company wants to grant developers the ability to read and write secrets under the path 'secret/dev/*', but only they should be able to delete their own secrets. Which policy design best meets this requirement?

Question 2mediummulti select
Read the full Create Vault policies explanation →

Which TWO of the following are valid capabilities that can be specified in a Vault policy?

Question 3mediummultiple choice
Read the full NAT/PAT explanation →

A DevOps team is managing secrets for a microservices application using Vault. They have created a policy named 'app-policy' that grants read access to secrets under the path 'secret/data/app/*'. The policy is assigned to an AppRole role. When a service authenticates with the role ID and secret ID, it receives a token but is unable to read secrets from 'secret/data/app/db-creds'. The token's identity metadata shows the policies associated with the token include 'default' and 'app-policy'. The Vault server logs show no errors. The service can successfully read other secrets from the same path, like 'secret/data/app/config'. What is the most likely cause of the issue?

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

A security team wants to ensure that all Vault policies for applications follow the principle of least privilege. They have a policy 'app-kv' that grants read access to secrets under 'secret/data/app/*'. An auditor finds that a developer can also read secrets under 'secret/data/team/*'. The policy currently uses a path-based glob. Which change should the team make to restrict access to only the app path?

Question 5mediummulti select
Read the full Create Vault policies explanation →

A DevOps team is writing a Vault policy for a CI/CD pipeline that needs to authenticate using AppRole, read specific secrets, and write dynamic database credentials. Which THREE capabilities should be included in the policy to meet these requirements? (Choose three.)

Question 6easymultiple choice
Read the full Create Vault policies explanation →

Refer to the exhibit. A developer reports that they cannot read secrets under 'secret/data/kv-v2/engineering/db-pass' using a token that has the above policy attached. What is the most likely cause?

Exhibit

Refer to the exhibit.

```hcl
path "secret/data/kv-v2/engineering/*" {
  capabilities = ["read", "list"]
}

path "secret/metadata/kv-v2/engineering/*" {
  capabilities = ["read", "list"]
}

path "sys/policies/acl/engineering" {
  capabilities = ["read"]
}
```
Question 7mediumdrag order
Read the full Create Vault policies explanation →

Drag and drop the steps to create and use a periodic service token in Vault into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 8mediummatching
Read the full Create Vault policies explanation →

Match each Vault command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Write a secret

Read data at a path

Write data or invoke an endpoint

Delete a secret or path

List keys under a path

Question 9easymultiple choice
Read the full NAT/PAT explanation →

A DevOps team needs to create a Vault policy that allows reading secrets from path "secret/data/app" but only for the key "db_password". They want to enforce this using Vault's policy syntax. Which policy statement achieves this?

Question 10mediummultiple choice
Read the full Create Vault policies explanation →

A security administrator wants to create a policy that allows a service to renew its own token and list its own token capabilities, but not create new tokens. Which policy statements should be included?

Question 11hardmultiple choice
Read the full Create Vault policies explanation →

A Vault administrator is designing a policy for a CI/CD pipeline that must be able to read dynamic database credentials from "database/creds/my-role" and also write to "secret/data/ci-cd" for storing build artifacts. The policy should follow the principle of least privilege. Which policy statements should be used?

Question 12easymulti select
Read the full NAT/PAT explanation →

A Vault operator is crafting a policy for a new application. Which two of the following are valid capabilities in a Vault policy path statement? (Select two.)

Question 13mediummulti select
Read the full NAT/PAT explanation →

Which three of the following are valid capabilities in a Vault policy path statement? (Select three.)

Question 14hardmulti select
Read the full Create Vault policies explanation →

A Vault policy must allow a service to read secrets from "secret/data/app" and also be able to renew its own token. Which two policy statements are necessary and sufficient for this requirement? (Select two.)

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A user with this policy attempts to read the secret at path "secret/data/team-a/admin". What will happen?

Exhibit

path "secret/data/team-a/*" {
  capabilities = ["read", "list"]
}
path "secret/data/team-a/admin" {
  capabilities = ["deny"]
}
Question 16hardmultiple choice
Read the full Create Vault policies explanation →

Refer to the exhibit. An application needs to encrypt data using the transit engine with key "app-key". It currently has this policy. Which statement is true?

Exhibit

# Vault policy snippet
path "transit/encrypt/app-key" {
  capabilities = ["create", "update"]
}
path "transit/decrypt/app-key" {
  capabilities = ["create", "update"]
}
Question 17easymultiple choice
Read the full Create Vault policies explanation →

Refer to the exhibit. A user with this policy tries to write a new secret to "secret/data/production/db". What will happen?

Exhibit

$ vault policy read my-policy
path "secret/data/production/*" {
  capabilities = ["read"]
}
path "secret/data/staging/*" {
  capabilities = ["create", "update"]
}
Question 18easymultiple choice
Read the full NAT/PAT explanation →

A company uses Vault's KV v2 secrets engine. A policy is needed to allow a service to only update existing secrets at path "secret/data/service/config", but not create new ones. Which capabilities should be included?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

An administrator wants to create a policy that grants the ability to list all authentication methods enabled on the Vault server. Which path and capability are required?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A Vault policy includes the following statement: path "secret/data/+/app" { capabilities = ["read"] }. Which paths would match this policy? (Assume KV v2)

Question 21easymultiple choice
Read the full Create Vault policies explanation →

A policy must allow a user to revoke their own token. Which endpoint and capability are required?

Question 22mediummultiple choice
Read the full NAT/PAT explanation →

A Vault policy has the following: path "identity/entity/id/*" { capabilities = ["read", "list"] }. What does this policy allow?

Question 23hardmultiple choice
Read the full NAT/PAT explanation →

A Vault cluster has several policies. One policy, "app-policy", contains: path "secret/data/app/*" { capabilities = ["create", "update"] }. Another policy, "admin-policy", includes: path "secret/data/app/db" { capabilities = ["deny"] }. A token is attached with both policies. Can the token write to "secret/data/app/db"?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

A DevOps team has configured a Vault policy to allow reading secrets from the 'secret/data/engineering' path. The policy contains:

path "secret/data/engineering/*" { capabilities = ["read", "list"]

}

However, when a user attempts to read a secret at 'secret/data/engineering/db/password', they receive a permission denied error. What is the most likely cause?

Question 25easymultiple choice
Read the full Create Vault policies explanation →

An organization is implementing Vault policies for the first time. They want to ensure that policies are easy to manage and follow the principle of least privilege. Which approach should they take when creating policies?

Question 26hardmultiple choice
Read the full Create Vault policies explanation →

A Vault administrator needs to create a policy that grants users read access only to the secrets that belong to their own team. The team membership is stored in an external identity provider and mapped to Vault entity aliases. The administrator wants to use a templated policy that references the entity's metadata. Which policy syntax accomplishes this goal?

Question 27mediummultiple choice
Read the full NAT/PAT explanation →

A developer has a policy that grants 'create' capability on path 'secret/data/team/*'. They successfully create a new secret using 'vault kv put secret/data/team/db', but when they try to update the same secret with new data, they get a permission denied error. What is the most likely cause?

Question 28mediummulti select
Read the full Create Vault policies explanation →

An organization is creating Vault policies to manage access to secrets across multiple application teams. According to HashiCorp best practices, which two approaches should be taken when designing policies? (Choose two.)

Question 29mediummultiple choice
Read the full NAT/PAT explanation →

A company has deployed Vault with an LDAP auth method and has created entity aliases for all users. The company uses KV v2 secrets engine mounted at 'secret/'. Each team's secrets are stored under a path like 'secret/data/team_<team_name>/'. They have multiple teams (engineering, marketing, sales). Currently, an administrator manually creates a separate policy for each team, e.g., path "secret/data/team_engineering/*" { capabilities = ["read", "list"] }. This is becoming cumbersome as new teams are added. The administrator wants to create a single policy that dynamically grants read access to the secrets path corresponding to the user's team, which is stored in the entity's metadata as 'team'. The LDAP auth method is configured to sync group memberships and map to entity aliases, and the entity metadata is correctly populated. Which approach should the administrator take?

Question 30hardmultiple choice
Read the full NAT/PAT explanation →

A development team is using the Vault transit secrets engine to encrypt sensitive data in their application. They have created a policy that includes: path "transit/keys/*" { capabilities = ["encrypt", "decrypt"] } and attached it to their application tokens. However, when the application calls the '/v1/transit/encrypt/my-key' endpoint, it receives a permission denied error. The key 'my-key' exists in the transit engine. The team has verified that the token is not expired and has the correct policy attached. What is the most likely cause of the error?

Question 31easymulti select
Read the full NAT/PAT explanation →

A Vault administrator needs to create a policy for a developer who must read and list secrets from the path 'secret/data/engineering/' and create new secrets under 'secret/data/engineering/projects/'. Which two policy statements should the administrator include? (Choose two.)

Question 32mediummultiple choice
Read the full Create Vault policies explanation →

Refer to the exhibit. Based on the policy shown, which statement is true?

Exhibit

path "secret/data/engineering/*" {
  capabilities = ["read", "list"]
}
path "secret/data/engineering/projects/*" {
  capabilities = ["create", "update"]
}
Question 33hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Vault's Kubernetes authentication method to provide secrets to pods. Pods in the 'production' namespace need to read secrets from the path 'secret/data/app/prod'. The administrator has created a Vault role that maps the service account to a policy with capabilities ['read', 'list'] on path 'secret/data/app/*'. However, pods report 'permission denied' when trying to read the secrets. The administrator verifies that the service account has the correct Vault role attached and that the Vault token is being used correctly. What is the most likely cause?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

VA-003 Practice Test 1 — 10 Questions→VA-003 Practice Test 2 — 10 Questions→VA-003 Practice Test 3 — 10 Questions→VA-003 Practice Test 4 — 10 Questions→VA-003 Practice Test 5 — 10 Questions→VA-003 Practice Exam 1 — 20 Questions→VA-003 Practice Exam 2 — 20 Questions→VA-003 Practice Exam 3 — 20 Questions→VA-003 Practice Exam 4 — 20 Questions→Free VA-003 Practice Test 1 — 30 Questions→Free VA-003 Practice Test 2 — 30 Questions→Free VA-003 Practice Test 3 — 30 Questions→VA-003 Practice Questions 1 — 50 Questions→VA-003 Practice Questions 2 — 50 Questions→VA-003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Create Vault policies setsAll Create Vault policies questionsVA-003 Practice Hub