Question 481 of 514
Compare and configure secrets engineseasyMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the database configuration uses a connection_url with template variables but provides static admin credentials, not root rotation. This is the most likely cause when database credentials revocation is not working after TTL expiry because Vault relies on tracking the current root password to execute REVOKE commands against the database. Without rotating the root credentials via the rotate_root endpoint, Vault cannot authenticate to the database to perform cleanup, so generated credentials remain active indefinitely. On the HashiCorp Vault Associate VA-003 exam, this scenario tests your understanding of the database secrets engine lifecycle—specifically that root credential rotation is a prerequisite for automatic revocation. A common trap is assuming that simply setting a TTL is enough, but Vault must be able to log in as the admin to revoke leases. Memory tip: “No rotate, no revoke”—if the root isn’t rotated, revocation is broken.

VA-003 Compare and configure secrets engines Practice Question

This VA-003 practice question tests your understanding of compare and configure secrets engines. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Refer to the exhibit.

```
$ vault secrets enable -path=postgres database
Success! Enabled the database secrets engine at: postgres/

$ vault write postgres/config/my-postgres-database \
    plugin_name=postgresql-database-plugin \
    allowed_roles="my-role" \
    connection_url="postgresql://{{username}}:{{password}}@localhost:5432/mydb" \
    username="admin" \
    password="password"
Success! Data written to: postgres/config/my-postgres-database

$ vault write postgres/roles/my-role \
    db_name=my-postgres-database \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
    default_ttl="1h" \
    max_ttl="24h"
Success! Data written to: postgres/roles/my-role
```

A DevOps engineer creates the configuration above. After testing, they notice that the generated database credentials are not being revoked after the TTL expires. What is the most likely cause?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1easymultiple choice
Full question →

Exhibit

Refer to the exhibit.

```
$ vault secrets enable -path=postgres database
Success! Enabled the database secrets engine at: postgres/

$ vault write postgres/config/my-postgres-database \
    plugin_name=postgresql-database-plugin \
    allowed_roles="my-role" \
    connection_url="postgresql://{{username}}:{{password}}@localhost:5432/mydb" \
    username="admin" \
    password="password"
Success! Data written to: postgres/config/my-postgres-database

$ vault write postgres/roles/my-role \
    db_name=my-postgres-database \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
    default_ttl="1h" \
    max_ttl="24h"
Success! Data written to: postgres/roles/my-role
```

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The database configuration uses a connection_url with template variables but provides static admin credentials, not root rotation

Option C is correct because the database secrets engine requires root credential rotation to enable automatic revocation of generated credentials. When the `connection_url` uses template variables like `{{username}}` and `{{password}}` but the admin credentials are static (not rotated via `rotate_root`), Vault cannot track the actual root password. Without root rotation, Vault lacks the ability to execute `REVOKE` commands after TTL expiry because it cannot authenticate to the database with the current root credentials to perform cleanup.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The creation_statements do not include the REVOKE command

    Why it's wrong here

    Revocation is handled by Vault, not by the creation_statements. Vault uses a separate revocation statement if configured, or the root credentials to drop the user.

  • The role definition has a syntax error in the creation_statements

    Why it's wrong here

    The creation_statements are syntactically correct for PostgreSQL.

  • The database configuration uses a connection_url with template variables but provides static admin credentials, not root rotation

    Why this is correct

    Without root credentials rotation, Vault cannot revoke dynamically created users because it uses the same admin credentials to manage them. The root credentials should be rotated first.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The secrets engine is enabled at a path other than 'database/'

    Why it's wrong here

    The path 'postgres/' is non-default but valid; revocation works regardless of path.

Common exam traps

Common exam trap: answer the scenario, not the keyword

HashiCorp often tests the misconception that `creation_statements` control both creation and revocation, or that the secrets engine path affects functionality, when the real issue is the missing root rotation step that enables Vault to maintain a valid admin session for cleanup operations.

Detailed technical explanation

How to think about this question

Under the hood, Vault's database secrets engine uses a root credential rotation mechanism (`/database/rotate-root`) to ensure that only Vault knows the actual admin password. When root rotation is not performed, Vault stores the static admin credentials but cannot guarantee they remain valid for revocation operations, especially if an external admin changes the password. In real-world scenarios, this is a common misconfiguration when migrating from static database users to dynamic secrets, where teams forget to rotate the root credentials after initial setup.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related VA-003 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free VA-003 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this VA-003 question test?

Compare and configure secrets engines — This question tests Compare and configure secrets engines — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The database configuration uses a connection_url with template variables but provides static admin credentials, not root rotation — Option C is correct because the database secrets engine requires root credential rotation to enable automatic revocation of generated credentials. When the `connection_url` uses template variables like `{{username}}` and `{{password}}` but the admin credentials are static (not rotated via `rotate_root`), Vault cannot track the actual root password. Without root rotation, Vault lacks the ability to execute `REVOKE` commands after TTL expiry because it cannot authenticate to the database with the current root credentials to perform cleanup.

What should I do if I get this VA-003 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More VA-003 practice questions

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This VA-003 practice question is part of Courseiva's free HashiCorp certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the VA-003 exam.