Back to HashiCorp Vault Associate VA-003 questions

Scenario-based practice

Hard Difficulty Questions

Practise HashiCorp Vault Associate VA-003 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
VA-003
exam code
HashiCorp
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related VA-003 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Refer to the exhibit. A developer reports that a token they created using `vault token create -policy=my-policy -ttl=2h` is no longer working after 1 hour. The token lookup output shows the token details. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
$ vault token lookup s.abc123
Key                 Value
---                 -----
accessor            a.xyz789
creation_time       1712345678
expiration_time     1712355678
creation_ttl        2h
display_name        mytoken
entity_id           entity-uuid-123
meta                map[team:dev]
num_uses            0
orphan              true
path                auth/token/create
policies            [default my-policy]
renewable           true
type                service
```
Question 2hardmultiple choice
Full question →

An administrator runs the commands shown in the exhibit. Later, they run 'vault kv delete kv-v2/secret' and then 'vault kv undelete -versions=1 kv-v2/secret' to recover the secret. Which command must the administrator run to verify that the secret is now readable?

Exhibit

Refer to the exhibit.
```
$ vault secrets enable -path=kv-v2 kv-v2
$ vault kv put kv-v2/secret username=admin password=s3cret
$ vault kv get kv-v2/secret
====== Metadata ======
Key              Value
---              -----
created_time     2023-01-01T00:00:00Z
deletion_time    n/a
destroyed        false
version          1

====== Data ======
Key         Value
---         -----
password    s3cret
username    admin

$ vault kv metadata get kv-v2/secret
Key                 Value
---                 -----
cas_required        false
created_time        2023-01-01T00:00:00Z
current_version     1
custom_metadata     map[]
delete_version_after    0s
max_versions        0
oldest_version      0
updated_time        2023-01-01T00:00:00Z
```
Question 3hardmulti select
Full question →

Which TWO statements correctly describe differences between AppRole and Kubernetes authentication methods?

Question 4hardmultiple choice
Full question →

An organization uses the transit engine with key rotation. They want to ensure that data encrypted with an older key version can be decrypted by Vault, but only if the key has not been deleted. Which of the following must be true?

Question 5hardmulti select
Full question →

Which TWO best practices should be followed when tuning secrets engine mounts?

Question 6hardmulti select
Full question →

Which THREE steps are required to configure the database secrets engine for generating dynamic credentials?

Question 7hardmultiple choice
Full question →

A Vault instance was upgraded from version 1.9 to 1.13. After the upgrade, a secrets engine mounted at 'transit/' is unresponsive and returns an error. The engine type is transit. What is the most likely cause?

Question 8hardmultiple choice
Full question →

An organization uses a PostgreSQL database. They configure a database secrets engine with a role that grants read-only access. However, after revoking the lease, the database user still exists. What is the most likely cause?

Question 9hardmulti select
Full question →

Which THREE of the following are true regarding Vault's high availability (HA) and replication? (Choose three.)

Question 10hardmultiple choice
Full question →

A Vault cluster configured with auto-unseal using AWS KMS is deployed across two availability zones. After a network partition, the standby node remains sealed while the active node is unsealed and serving requests. What is the most likely reason the standby cannot unseal?

Question 11hardmultiple choice
Full question →

Given the output from 'vault operator raft list-peers', which node(s) will become unavailable if node1 (leader) experiences a network partition away from all other nodes?

Exhibit

Refer to the exhibit.
```
$ vault operator raft list-peers
Node     Address           State       Voter
----     -------           -----       -----
node1    10.0.0.1:8201     leader      true
node2    10.0.0.2:8201     follower    true
node3    10.0.0.3:8201     follower    true
node4    10.0.0.4:8201     follower    false
node5    10.0.0.5:8201     follower    false
```
Question 12hardmulti select
Full question →

A Vault administrator wants to minimize the impact of a single node failure in a three-node Raft cluster. Which TWO actions will help? (Choose two.)

Question 13hardmultiple choice
Full question →

An administrator needs to securely provide a one-time use token to a remote service using Vault response wrapping. Which CLI flag or command should they use?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

A security team needs to automate the rotation of a database password stored in Vault. The password is currently written as a static secret at 'database/creds/prod'. They want to use the Vault API to read and rewrite the secret, ensuring that the previous version is preserved for audit. The script must handle the case where the secret path may not exist. Which approach should they use?

Question 15hardmulti select
Full question →

Which THREE of the following are true about using the Vault API with response wrapping? (Choose three.)

Question 16hardmultiple choice
Full question →

A Vault cluster is sealed. An operator attempts to renew a lease but gets an error. What is the most likely error?

Question 17hardmultiple choice
Full question →

Refer to the exhibit. An operator wants the credential to be valid for exactly 2 hours. What should they do?

Exhibit

Key                Value
---                -----
lease_id           database/creds/readonly/xyz789
lease_duration     30m
lease_renewable    true
password           ...
username           ...
Question 18hardmultiple choice
Full question →

A security team wants to ensure that database credentials generated by Vault are never renewed and have a fixed lifespan of 30 minutes. They configure the role with default_ttl=30m and max_ttl=30m, and set renewable=false. However, they find that some users are able to renew the leases anyway. What could be the reason?

Question 19hardmultiple choice
Full question →

After a Vault migration, some leases are no longer valid and cause errors. What is the best way to force a cleanup of all leases under a specific mount without affecting other mounts?

Question 20hardmultiple choice
Full question →

An organization uses Vault with a database secrets engine. They have a role that issues credentials with a lease TTL of 30 minutes. After some time, they notice that the database is full of stale users. What is the most likely cause?

These VA-003 practice questions are part of Courseiva's free HashiCorp certification practice question bank. Courseiva provides original exam-style VA-003 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.