HashiCorp · 2026 Edition
A complete preparation guide written by HashiCorp-certified engineers. Covers the exam format,all 8 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
4–8 weeks
Prep time
Intermediate
Difficulty
57
Exam questions
700/1000
Pass mark
Exam code
VA-003
Full name
HashiCorp Vault Associate
Vendor
HashiCorp
Duration
60 minutes
Questions
57 items
Passing score
700/1000 (scaled)
Domains covered
8 blueprint domains
Recommended experience
Familiarity with basic security concepts and cloud infrastructure; Terraform experience is helpful
Typical prep time
4–8 weeks
HashiCorp Vault Associate validates the ability to use Vault to manage secrets, encryption, and access control. As organisations replace static credentials with dynamic secrets, Vault skills are increasingly demanded in security engineering and platform engineering roles.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–2
Vault Architecture: storage backends, secrets engines, authentication methods, audit devices
Tip: Know the Vault architecture components: Secrets Engines (store and generate secrets — KV, database, AWS, PKI, TOTP), Auth Methods (authenticate identities — Token, AppRole, AWS, Kubernetes, LDAP), Policies (define what an authenticated identity can do — HCL policy language), Audit Devices (write audit logs to file, syslog, or socket).
Weeks 3–4
Authentication Methods: Token, AppRole, AWS, Kubernetes, and token types
Tip: AppRole authentication is the most tested auth method on the Vault Associate exam. Know the AppRole flow: administrator creates a role, retrieves RoleID (non-secret, can be baked into the application), application retrieves SecretID (secret, short-lived), application calls vault write auth/approle/login with both to get a token.
Weeks 5–6
Secrets Engines: KV v1 vs v2, database secrets (dynamic secrets), PKI, AWS
Tip: Dynamic secrets are the primary value proposition of Vault. Know how the database secrets engine works: Vault connects to a database → administrator configures a role (SQL statements to create/revoke credentials) → application calls Vault for a lease → Vault creates a short-lived database user → Vault revokes the user when the lease expires. No long-lived credentials exist.
Weeks 7–8
Vault Policies, Response Wrapping, Encryption as a Service, and Operations
Tip: Transit secrets engine (Encryption as a Service) is tested on Vault Associate: Vault encrypts/decrypts data for applications without the application ever having access to the key. Know the transit operations: encrypt (returns ciphertext), decrypt (returns plaintext), rewrap (re-encrypt with a new key version without decrypting first).
VA-003 exam: 57 questions, 60 minutes, 70% to pass. Knowledge-based multiple choice — no live lab. Practice using the Vault CLI and HTTP API in a local dev environment (vault server -dev).
Vault token TTLs and renewability: tokens have a TTL (time-to-live) and optionally a max TTL. Renewable tokens can be extended up to the max TTL; periodic tokens renew indefinitely (no max TTL, used for long-running services). Know the difference and when each is appropriate.
Seal and unseal: Vault starts sealed (encrypted, unusable). The unseal process requires providing enough unseal keys (default 3 of 5 using Shamir's Secret Sharing) to reconstruct the master key. Auto-unseal uses cloud KMS (AWS KMS, Azure Key Vault, GCP CKMS) to unseal without manual key entry — essential for automated deployments.
Vault namespaces (Enterprise feature): logical isolation within a single Vault cluster. Know that namespaces enable multi-tenant Vault deployments where different teams or business units have isolated secret stores, policies, and auth methods.
Response wrapping is a Vault security feature: instead of returning a secret directly, Vault returns a single-use wrapping token. The recipient unwraps the token to get the actual secret. This ensures that only the intended recipient receives the secret and that any interception is detected (the token is already used).
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on VA-003 — with exam key points and common misconceptions.