Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Assess Vault tokens practice sets

VA-003 Assess Vault tokens • Complete Question Bank

VA-003 Assess Vault tokens — All Questions With Answers

Complete VA-003 Assess Vault tokens question bank — all 0 questions with answers and detailed explanations.

93
Questions
Free
No signup
Certifications/VA-003/Practice Test/Assess Vault tokens/All Questions
Question 1mediummultiple choice
Read the full Assess Vault tokens explanation →

A DevOps team is using Vault tokens for authentication in CI/CD pipelines. They notice that tokens are often expired before the pipeline completes, causing failures. Which Vault feature should they use to address this without manual intervention?

Question 2hardmultiple choice
Read the full Assess Vault tokens explanation →

An application uses a Vault token with a policy that grants read access to secrets. The security team wants to ensure that if the application is compromised, the token cannot be used after a certain time even if the attacker has the token. What is the best approach?

Question 3easymultiple choice
Read the full NAT/PAT explanation →

A developer created a token and wants to ensure that the token can only be used to read secrets from the 'secret/data/production' path. Which policy attachment approach should be used?

Question 4mediummultiple choice
Read the full Assess Vault tokens explanation →

A Vault administrator wants to allow a CI/CD pipeline to create short-lived tokens for deployment jobs. The pipeline itself authenticates with a periodic token. Which token type should the pipeline use to create tokens for jobs, considering the jobs need to be independent and not affected by the pipeline token's lifecycle?

Question 5hardmultiple choice
Read the full Assess Vault tokens explanation →

An organization uses Vault with AWS IAM auth. After rotating the AWS IAM role credentials, users are unable to authenticate with Vault. The Vault audit logs show 'permission denied' for the AWS auth method. What is the most likely cause?

Question 6easymultiple choice
Read the full NAT/PAT explanation →

A Vault user wants to check the capabilities of their token on a specific path. Which command should they use?

Question 7mediummultiple choice
Read the full Assess Vault tokens explanation →

A security analyst discovers that a token used by a legacy application is still active long after the application was decommissioned. Which Vault feature should have been used to automatically expire tokens when the application is no longer running?

Question 8hardmultiple choice
Read the full Assess Vault tokens explanation →

An administrator wants to ensure that a token created by a user cannot be used after 24 hours, even if the user tries to renew it. What should the administrator do?

Question 9mediummulti select
Read the full Assess Vault tokens explanation →

Which TWO of the following are valid methods to revoke a Vault token?

Question 10hardmulti select
Read the full Assess Vault tokens explanation →

Which THREE of the following are true about batch tokens?

Question 11easymulti select
Read the full Assess Vault tokens explanation →

Which TWO of the following are valid token states?

Question 12mediummulti select
Read the full Assess Vault tokens explanation →

Which THREE of the following are valid sources of token TTL?

Question 13hardmultiple choice
Read the full Assess Vault tokens explanation →

A large enterprise runs a microservices architecture on Kubernetes. Each microservice authenticates to Vault using the Kubernetes auth method with a service account token. The Vault administrator configured a role 'microservice-role' with a TTL of 24h and a max TTL of 48h. The microservices renew their tokens every 12 hours via a sidecar. Recently, the security team noticed that some tokens are still valid after 72 hours, causing a security concern. The audit logs show that the tokens were renewed successfully multiple times. The administrator reviews the role configuration and sees that 'token_renewable' is set to true. What is the most likely reason the tokens are exceeding the intended 48h max TTL?

Question 14mediummultiple choice
Read the full Assess Vault tokens explanation →

A DevOps team is using Vault tokens with short TTLs for CI/CD jobs. They notice that some jobs fail intermittently with 'permission denied' errors even though the token policy grants the required capabilities. The token is created with a TTL of 10 minutes and renewed automatically by the client library. What is the most likely cause of the failures?

Question 15hardmulti select
Read the full Assess Vault tokens explanation →

Which TWO of the following scenarios require the use of a periodic token?

Question 16hardmultiple choice
Read the full Assess Vault tokens explanation →

Refer to the exhibit. A developer reports that a token they created using `vault token create -policy=my-policy -ttl=2h` is no longer working after 1 hour. The token lookup output shows the token details. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
$ vault token lookup s.abc123
Key                 Value
---                 -----
accessor            a.xyz789
creation_time       1712345678
expiration_time     1712355678
creation_ttl        2h
display_name        mytoken
entity_id           entity-uuid-123
meta                map[team:dev]
num_uses            0
orphan              true
path                auth/token/create
policies            [default my-policy]
renewable           true
type                service
```
Question 17easymultiple choice
Read the full Assess Vault tokens explanation →

Your company uses Vault to manage secrets for a fleet of microservices running on Kubernetes. Each microservice has a service account that authenticates to Vault using the Kubernetes auth method and receives a token with a policy granting access to its secrets. Recently, the team noticed that some tokens are being revoked prematurely, causing services to lose access to secrets. The tokens are created with a TTL of 24 hours and are set to be renewable. The Vault servers are configured with a default max_ttl of 24 hours. The tokens are renewed by the client libraries every 12 hours. Despite this, tokens are sometimes invalid before 24 hours. What should the team do to prevent this issue?

Question 18easymulti select
Read the full Assess Vault tokens explanation →

A DevOps team is troubleshooting token access in Vault. They need to determine which of the following token operations require sudo capability. Which TWO operations require sudo capability?

Question 19mediummultiple choice
Read the full Assess Vault tokens explanation →

A token has the properties shown in the exhibit. A user attempts to use this token to write a secret to 'secret/data/myapp'. The token fails with a permission denied error. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
$ vault token lookup -accessor 7c7f5d5c-5e5f-4a5b-8c8d-9e0f1a2b3c4d
Key                 Value
---                 -----
accessor            7c7f5d5c-5e5f-4a5b-8c8d-9e0f1a2b3c4d
creation_time       1625097600
creation_ttl        24h
display_name        my-token
explicit_max_ttl    0s
id                  s.abcdefghijklmnopqrstuvwxyz
issue_time          2021-07-01T00:00:00Z
meta                map[user:alice]
num_uses            0
orphan              true
path                auth/token/create
policies            [default my-policy]
ttl                 12h
type                service
```
Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A large enterprise runs Vault in a production environment with hundreds of applications. Each application uses a unique Vault token with a 30-day TTL. The tokens are created by a central CI/CD pipeline using Vault's token auth method. Recently, the security team noticed that several tokens with suspicious activity have been created with a 90-day TTL, and the tokens appear to be long-lived and not revoked after use. The CI/CD pipeline logs show no anomalies. The audit logs reveal that the tokens in question were created by a human user 'jdoe' using a token with the 'admin' policy. The 'admin' policy grants '*' capabilities on all paths. The Vault token accessor shows that the suspicious tokens have a 'creation_ttl' of 2160h (90 days) and 'explicit_max_ttl' of 0s. The Vault configuration uses a default lease TTL of 24h and a max lease TTL of 720h (30 days). Which action should the security team take to prevent such incidents in the future without breaking existing applications?

Question 21mediumdrag order
Read the full Assess Vault tokens explanation →

Drag and drop the steps to initialize and unseal a Vault server for the first time into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediumdrag order
Read the full Assess Vault tokens explanation →

Drag and drop the steps to perform a Vault disaster recovery using the replication feature into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 23mediummatching
Read the full Assess Vault tokens explanation →

Match each Vault auth method to its authentication mechanism.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

RoleID and SecretID

Username/password against LDAP server

Static or periodic tokens

Service account token

JSON Web Token / OpenID Connect

Question 24mediummatching
Read the full Assess Vault tokens explanation →

Match each Vault seal type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Split key into shares

Use AWS Key Management Service

Use Azure Key Vault

Use Google Cloud KMS

Use hardware security module

Question 25mediummultiple choice
Read the full Assess Vault tokens explanation →

A DevOps team generates a large number of short-lived tokens for automated deployments. They want to minimize storage overhead and avoid the need for token revocation. Which token type should they use?

Question 26easymultiple choice
Read the full Assess Vault tokens explanation →

An administrator needs to revoke a token but wants to keep all child tokens that were created using this token as the parent. Which revocation operation should be used?

Question 27hardmultiple choice
Read the full Assess Vault tokens explanation →

An application's token is failing to renew, and the logs show 'token not renewable'. The token was created with a TTL of 24h and no explicit max TTL. What is the most likely cause?

Question 28mediummultiple choice
Read the full Assess Vault tokens explanation →

A security audit requires tracking token usage without exposing the token value itself. Which token attribute should be logged?

Question 29easymultiple choice
Read the full Assess Vault tokens explanation →

A development team needs tokens that can be renewed automatically as long as they are still in use, up to a maximum lifetime of 72 hours. Which token type and configuration should be used?

Question 30hardmultiple choice
Read the full NAT/PAT explanation →

An administrator receives an access denied error when trying to use the token accessor to revoke a token. The administrator's token has the following policy capabilities: path "auth/token/revoke-accessor" { capabilities = ["create", "update"] }. What is the issue?

Question 31mediummultiple choice
Read the full Assess Vault tokens explanation →

A periodic token is created with a TTL of 30 days. After 60 days, the token is still in use but suddenly stops working. What is the most likely reason?

Question 32easymultiple choice
Read the full Assess Vault tokens explanation →

An engineer wants to list all tokens associated with a specific token accessor. Which API endpoint should be used?

Question 33hardmultiple choice
Read the full Assess Vault tokens explanation →

A token is created with policies 'default' and 'web-app'. Later, a parent token's policy is updated to add 'logging'. The child token's policies are not updated. What will happen when the child token is used?

Question 34mediummulti select
Read the full Assess Vault tokens explanation →

Which TWO of the following are true about token accessors?

Question 35hardmulti select
Read the full Assess Vault tokens explanation →

Which THREE of the following are valid parameters when creating a token via the API?

Question 36easymulti select
Read the full Assess Vault tokens explanation →

Which TWO statements are true about batch tokens?

Question 37mediummultiple choice
Read the full Assess Vault tokens explanation →

Based on the exhibit, what is the maximum lifetime of this token?

Exhibit

Refer to the exhibit.
```
$ vault token lookup
Key                 Value
---                 -----
accessor            abc123
expire_time         2025-06-01T12:00:00Z
id                  s.abcdefghijklmnop
issue_time          2025-05-01T12:00:00Z
meta                map[team:dev]
policies            [default devops]
renewable           true
ttl                 720h
type                service
```
Question 38hardmultiple choice
Read the full Assess Vault tokens explanation →

An administrator creates a token role with 'allowed_policies' and tries to create a child token. What does this error indicate?

Exhibit

Refer to the exhibit.
```
$ vault write auth/token/create policies=default ttl=1h
Error writing data to auth/token/create: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/token/create
Code: 400. Errors:

* token count per user (3) exceeded
```
Question 39easymultiple choice
Read the full Assess Vault tokens explanation →

A token with the above policy attempts to look up its own token by calling the accessor endpoint. What will happen?

Exhibit

Refer to the exhibit.
```
path "secret/data/app/*" {
  capabilities = ["read", "list"]
}
path "auth/token/lookup" {
  capabilities = ["sudo"]
}
```
Question 40mediummultiple choice
Read the full Assess Vault tokens explanation →

A DevOps engineer notices that a long-running application using a Vault token fails after 24 hours. The token was created with a TTL of 48h. The token role has a default TTL of 48h and a max TTL of 72h. What is the most likely cause of the failure?

Question 41easymultiple choice
Read the full Assess Vault tokens explanation →

A security team wants to ensure that tokens can be revoked immediately if a compromised token is detected, even if the token ID is unknown. Which token feature should they use?

Question 42hardmultiple choice
Read the full Assess Vault tokens explanation →

An admin creates a token with TTL=48h and explicit_max_ttl=120h. The token is renewed every 24h. After 10 days, will the token still be valid?

Question 43mediummultiple choice
Read the full Assess Vault tokens explanation →

Which token type should be used for short-lived credentials that do not need to be renewed?

Question 44hardmultiple choice
Read the full NAT/PAT explanation →

A Vault cluster has a token with the following policy: path "secret/data/dev/*" { capabilities = ["read", "list"] }. The token is used to read a secret at "secret/data/dev/password". The read succeeds. Later, the token tries to read "secret/data/prod/password". What happens?

Question 45easymultiple choice
Read the full Assess Vault tokens explanation →

What is the purpose of a token's "period" attribute?

Question 46mediummultiple choice
Read the full Assess Vault tokens explanation →

A team needs to issue unique tokens to each of 100 microservices, each with its own policy, and ensure that revoking one token does not affect others. Which token feature should they use?

Question 47easymultiple choice
Read the full Assess Vault tokens explanation →

Where can you view a list of all active tokens in Vault?

Question 48hardmultiple choice
Read the full Assess Vault tokens explanation →

An application uses a periodic token with period=24h. The application renews every 12h. After 48h, the token is still valid. After 72h, the token is still valid. What is the maximum lifetime of this periodic token?

Question 49easymulti select
Read the full Assess Vault tokens explanation →

Which TWO statements about batch tokens are true?

Question 50mediummulti select
Read the full Assess Vault tokens explanation →

Which TWO methods can be used to revoke a token without knowing the token ID?

Question 51hardmulti select
Read the full Assess Vault tokens explanation →

Which THREE factors influence the maximum TTL of a token?

Question 52hardmultiple choice
Read the full Assess Vault tokens explanation →

Refer to the exhibit. A user attempts to renew the token after 20 hours. What will happen?

Exhibit

```
$ vault token create -policy=my-policy -ttl=12h -explicit-max-ttl=24h
Key                  Value
---                  -----
token                s.f2g3h4j5k6l7
token_accessor       a1b2c3d4e5f6
token_duration       12h
token_renewable      true
token_policies       ["default" "my-policy"]
identity_policies    []
policies             ["default" "my-policy"]
```
Question 53easymultiple choice
Read the full Assess Vault tokens explanation →

Refer to the exhibit. A token has this policy. Which action can the token perform?

Exhibit

```
path "secret/data/engineering/*" {
  capabilities = ["read", "list"]
}
path "secret/data/finance/*" {
  capabilities = ["create", "update"]
}
```
Question 54mediummultiple choice
Read the full Assess Vault tokens explanation →

Refer to the exhibit. An admin wants to ensure this token can be used for 60 hours total. Which action should be taken?

Exhibit

```
$ vault token lookup s.abc123
Key                 Value
---                 -----
accessor            a1b2c3d4e5f6
creation_time       1700000000
creation_ttl        24h
display_name        my-app
explicit_max_ttl    48h
expire_time         1700014400
id                  s.abc123
issue_time          1700000000
meta                map[service:app1]
num_uses            0
orphan              true
path                auth/token/create
policies            [default my-policy]
renewable           true
ttl                 24h
type                service
```
Question 55easymultiple choice
Read the full Assess Vault tokens explanation →

A developer needs a token that can be used only 5 times and must expire after 24 hours, regardless of the number of uses. Which token creation method should be used to enforce these constraints?

Question 56mediummultiple choice
Read the full Assess Vault tokens explanation →

A user's token was revoked by an administrator, but the user can still read secrets from a KV v1 secrets engine. What is the most likely reason?

Question 57hardmultiple choice
Read the full Assess Vault tokens explanation →

An organization uses Vault's token auth method to issue tokens for long-running services. They want to ensure that tokens are automatically revoked after 30 days, even if the service repeatedly renews them. Which token role configuration achieves this?

Question 58easymultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer needs to create a token that can only read secrets under the path 'secret/engineering'. What is the recommended approach?

Question 59mediummultiple choice
Read the full Assess Vault tokens explanation →

A token with a policy granting 'write' on 'secret/team-alpha/*' is unable to write to 'secret/team-alpha/db-creds' in a KV v2 engine. What is the most likely cause?

Question 60hardmultiple choice
Read the full Assess Vault tokens explanation →

An administrator wants to audit token usage without exposing the actual token IDs to auditors. Which approach should they use?

Question 61easymultiple choice
Read the full Assess Vault tokens explanation →

A user forgets to renew their token before it expires. What happens to the token and its associated leases?

Question 62mediummultiple choice
Read the full Assess Vault tokens explanation →

A security team wants to issue tokens that can be used for exactly 10 API calls, after which they must be renewed. Which two token parameters should be set on the token role?

Question 63hardmultiple choice
Read the full Assess Vault tokens explanation →

A token with a policy that explicitly denies 'read' on 'secret/engineering/private' is issued. The same token also has another policy that grants 'read' on 'secret/engineering/*'. What is the result when the token tries to read 'secret/engineering/private'?

Question 64mediummulti select
Read the full Assess Vault tokens explanation →

An administrator needs to issue tokens that are automatically renewable by the client (so they can stay alive as long as renewed) but must expire no later than 30 days. Which TWO token parameters should be configured on the token role?

Question 65hardmulti select
Read the full Assess Vault tokens explanation →

Which THREE statements about token accessors are true?

Question 66mediummulti select
Read the full NAT/PAT explanation →

A DevOps engineer is troubleshooting an issue where a token cannot read a secret from the KV v2 engine at path 'secret/team-alpha/db-creds'. The token's policy includes the following: path "secret/team-alpha/*" { capabilities = ["read"] }. Which TWO reasons could explain the failure?

Question 67mediummultiple choice
Read the full Assess Vault tokens explanation →

The token was created 12 hours ago and has not been used yet. What will happen if the token is not used or renewed?

Exhibit

Refer to the exhibit.

```
$ vault token lookup -accessor av.xyz123...
Key                 Value
---                 -----
creation_ttl        24h
ttl                 12h
renewable           true
num_uses            5
policies            [default mypolicy]
```
Question 68hardmultiple choice
Read the full NAT/PAT explanation →

A token with this policy attempts to read the secret at path 'secret/data/engineering/special'. Will the read succeed?

Exhibit

Refer to the exhibit.

```json
{
  "policy": [
    {
      "path": "secret/data/engineering/*",
      "capabilities": ["read"]
    },
    {
      "path": "secret/engineering/special",
      "capabilities": ["create", "update"]
    }
  ]
}
```
Question 69easymultiple choice
Read the full Assess Vault tokens explanation →

A user receives this error when trying to read a secret. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
Error reading secret/data/foo:
Error making API request.
URL: GET http://127.0.0.1:8200/v1/secret/data/foo
Code: 403. Errors:
* permission denied
```
Question 70easymultiple choice
Read the full Assess Vault tokens explanation →

An administrator creates a service token with a TTL of 1 hour and a max TTL of 24 hours. The token is renewed once after 55 minutes. What happens to the token after 24 hours from creation?

Question 71mediummultiple choice
Read the full Assess Vault tokens explanation →

A CI/CD pipeline needs to generate thousands of short-lived tokens each day for jobs that run for at most 5 minutes. The tokens should not be renewable or revocable individually. Which token type should be used?

Question 72hardmultiple choice
Read the full Assess Vault tokens explanation →

A root token creates token T1 with a TTL of 1 hour. T1 then creates token T2 with a TTL of 2 hours. After 30 minutes, T1 is revoked without using the 'cascade' option. What happens to T2?

Question 73hardmultiple choice
Read the full NAT/PAT explanation →

A Vault operator runs 'vault token lookup s.abc123' and sees that the token type is 'service', renewable is true, but the ttl is 30m and creation_ttl is 1h. The token has num_uses set to 0. What is the most likely explanation for the discrepancy between ttl and creation_ttl?

Question 74mediummultiple choice
Read the full Assess Vault tokens explanation →

A developer needs to manually revoke a token but only knows its accessor. Which Vault API endpoint can be used to revoke the token using only the accessor?

Question 75easymultiple choice
Read the full Assess Vault tokens explanation →

A security policy requires that all tokens are revoked when a user leaves the organization. What is the most efficient way to revoke all tokens issued to that user?

Question 76easymultiple choice
Read the full Assess Vault tokens explanation →

A developer creates a token using the 'token create' command with the 'period=24h' flag. What type of token is created?

Question 77mediummultiple choice
Read the full NAT/PAT explanation →

An application using a service token fails to renew it, receiving an error 'permission denied'. The token has policies that include 'path "auth/token/renew-self" { capabilities = ["update"] }'. The token is not expired and has remaining TTL. What is a likely cause?

Question 78hardmultiple choice
Read the full Assess Vault tokens explanation →

A Vault administrator wants to ensure that when a parent token is revoked, all child tokens are also automatically revoked. Which option should they use?

Question 79easymulti select
Read the full Assess Vault tokens explanation →

Which TWO of the following are valid uses of a token accessor? (Select exactly 2 options.)

Question 80mediummulti select
Read the full Assess Vault tokens explanation →

Which THREE of the following token properties are immutable after token creation? (Select exactly 3 options.)

Question 81hardmulti select
Read the full Assess Vault tokens explanation →

Which TWO of the following are valid reasons for a token renewal to fail with a 'lease not found' or 'token not found' error? (Select exactly 2 options.)

Question 82mediummultiple choice
Read the full Assess Vault tokens explanation →

Refer to the exhibit. A developer tries to renew a token and receives this error. The token was created using 'vault token create -type=batch'. What is the most likely cause of this error?

Exhibit

Error writing data to auth/token/renew: Error making API request.

URL: PUT http://localhost:8200/v1/auth/token/renew
Code: 400. Errors:

* no matching lease for token
Question 83hardmultiple choice
Read the full NAT/PAT explanation →

A company uses HashiCorp Vault in production to manage secrets for its microservices. One microservice, 'order-svc', authenticates via AppRole and receives a service token with a TTL of 24 hours and a max TTL of 48 hours. Over the past few days, operations teams report that 'order-svc' fails to renew its token after approximately 23 hours, causing authentication failures. The token lookup shows the token is still alive with about 1 hour of TTL remaining, but renewal attempts return a 'permission denied' error. The Vault audit logs show the renewal request is reaching Vault and being denied. The token's policies include 'path "auth/token/renew-self" { capabilities = ["update"] }'. The token was created with the default options. What is the most likely cause of this failure?

Question 84mediummultiple choice
Read the full NAT/PAT explanation →

A security team wants to enforce that all tokens created by a specific AppRole can only be used to read secrets from the path 'secret/data/team-a/*'. They have configured the AppRole with token_policies that include that path. However, a developer uses the token created from this AppRole to create a child token with broader policies, granting access to 'secret/data/team-b/*'. The security team wants to prevent such privilege escalation. Which action should be taken to ensure that child tokens cannot have broader policies than the parent?

Question 85mediummulti select
Read the full Assess Vault tokens explanation →

Which TWO of the following are true about Vault token accessors?

Question 86easymultiple choice
Read the full NAT/PAT explanation →

A DevOps team uses Vault to manage secrets for a microservices application. The application authenticates to Vault using AppRole, and each service obtains a periodic token with a TTL of 24 hours and a period of 1 hour. The tokens are used to read secrets from a path. Recently, the team noticed that some services are unable to read secrets after a few hours, with error messages indicating that the token is not authorized or has expired. Upon investigation, the team finds that the tokens are being renewed properly but still fail after some time. What is the most likely cause of this issue?

Question 87mediummultiple choice
Read the full Assess Vault tokens explanation →

A security audit reveals that many Vault tokens in an organization are orphan tokens (tokens with no parent). The tokens were created using a batch token creation script that did not set an explicit parent. The security team is concerned about these orphan tokens because they cannot be managed through the usual parent-child hierarchy. They want to revoke all orphan tokens created more than 30 days ago. However, the team does not have a list of token IDs for these tokens. Which approach should the team take to revoke the orphan tokens?

Question 88hardmultiple choice
Read the full Assess Vault tokens explanation →

A large enterprise uses Vault with multiple namespaces for different business units. The security team has implemented a policy that requires all tokens to be created with a bounded set of allowed policies defined in a token role. The token role allows policies 'app-dev', 'app-staging', and 'app-prod' for the development namespace. The token role has token_type set to 'service'. A developer attempts to create a token using this role but specifies an additional policy 'admin' in the creation request. The Vault administrator expects this request to fail because 'admin' is not in the allowed policies list. However, the token is created successfully with only the allowed policies applied. Why did the request succeed?

Question 89mediummultiple choice
Read the full Assess Vault tokens explanation →

A company uses Vault to issue tokens for short-lived tasks. They have configured a token role with 'period' set to 30 minutes and 'explicit_max_ttl' set to 24 hours. Tokens are created using the role and are expected to be renewed every 30 minutes by the tasks. However, after a few renewals, the Vault audit logs show that a token was renewed but then immediately expired. The task that was using the token failed. What is the most likely reason for this behavior?

Question 90hardmultiple choice
Read the full NAT/PAT explanation →

A cloud-native application uses Vault's Kubernetes auth method to inject tokens into pods. Each pod receives a Vault token with a TTL of 1 hour, renewable. The application is designed to renew tokens before they expire. However, after a recent update, some pods are failing to authenticate with Vault, reporting 'token not found' errors. The operations team checks the Vault audit logs and sees that tokens associated with these pods are being revoked immediately after creation. The pods have not performed any revocation. What is the most likely cause?

Question 91mediummulti select
Read the full Assess Vault tokens explanation →

An administrator is reviewing Vault token policies and wants to ensure that tokens created by a specific application cannot be renewed and have a fixed lifetime. Which two token configurations should be applied?

Question 92hardmultiple choice
Read the full Assess Vault tokens explanation →

Refer to the exhibit. A token was created with a creation_ttl of 24h, explicit_max_ttl of 10h, and a current ttl of 12h. What will happen when the token reaches its explicit_max_ttl?

Exhibit

Key                 Value
---                 -----
accessor            abc123def456
creation_time       2025-01-15T10:00:00Z
creation_ttl        24h
display_name        app-token
entity_id           n/a
expire_time         2025-01-16T10:00:00Z
explicit_max_ttl    10h
id                  hvs.xyz789
issue_time          2025-01-15T10:00:00Z
meta                map[role:my-role]
num_uses            0
orphan              false
path                auth/token/create
policies            [default my-policy]
renewable           true
ttl                 12h
type                service
Question 93easymultiple choice
Read the full Assess Vault tokens explanation →

A company runs multiple microservices in a Kubernetes cluster. Each microservice authenticates to Vault using a service token created via the token auth method. The tokens are created with a default TTL of 72h, a max TTL of 168h, and renewable set to true. The services are configured to renew their tokens when the remaining TTL drops below 24h. Recently, some tokens have been expiring prematurely, causing service outages. Upon investigation, you find that the expired tokens were created with a role that includes explicit_max_ttl = 72h. The services see the TTL decreasing normally, but then it jumps to zero even though the services attempted renewal. What is the most likely cause and correct action?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

VA-003 Practice Test 1 — 10 Questions→VA-003 Practice Test 2 — 10 Questions→VA-003 Practice Test 3 — 10 Questions→VA-003 Practice Test 4 — 10 Questions→VA-003 Practice Test 5 — 10 Questions→VA-003 Practice Exam 1 — 20 Questions→VA-003 Practice Exam 2 — 20 Questions→VA-003 Practice Exam 3 — 20 Questions→VA-003 Practice Exam 4 — 20 Questions→Free VA-003 Practice Test 1 — 30 Questions→Free VA-003 Practice Test 2 — 30 Questions→Free VA-003 Practice Test 3 — 30 Questions→VA-003 Practice Questions 1 — 50 Questions→VA-003 Practice Questions 2 — 50 Questions→VA-003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Compare authentication methodsAssess Vault tokensCreate Vault policiesManage Vault leasesCompare and configure secrets enginesUtilize Vault CLI and APIExplain Vault architectureExplain encryption as a service

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Assess Vault tokens setsAll Assess Vault tokens questionsVA-003 Practice Hub