An application needs to read a secret using the Vault API after authenticating with an AppRole RoleID and SecretID. The application has already obtained a Vault token. Which API endpoint should be called to read a secret at 'secret/data/myapp' with the token?
This is the standard API path to read a KV v2 secret.
Why this answer
Option D is correct because after authentication, the application already has a Vault token and needs to read a secret from the KV v2 secrets engine. The correct API endpoint for reading a secret from the KV v2 engine is GET /v1/secret/data/myapp, where 'secret' is the mount path and 'data' is the sub-path for KV v2 operations. The token is passed in the X-Vault-Token header, not in the URL.
Exam trap
HashiCorp often tests the distinction between KV v1 and KV v2 API paths, specifically that KV v2 requires '/data/' in the path to read secrets, while KV v1 uses a flat path without '/data/'.
How to eliminate wrong answers
Option A is wrong because GET /v1/secret/metadata/myapp is used to read metadata (like version info) of a KV v2 secret, not the secret data itself. Option B is wrong because POST /v1/auth/approle/login is the endpoint for authenticating with AppRole RoleID and SecretID to obtain a Vault token, but the question states the application has already obtained a token, so this step is unnecessary. Option C is wrong because GET /v1/secret/myapp is the endpoint for the KV v1 secrets engine, which does not support versioning and uses a different path structure; the question implies KV v2 (since the path includes 'data'), and using KV v1 endpoint would fail or return incorrect data.