Back to HashiCorp Vault Associate VA-003 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise HashiCorp Vault Associate VA-003 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
VA-003
exam code
HashiCorp
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related VA-003 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Refer to the exhibit. A developer reports that a token they created using `vault token create -policy=my-policy -ttl=2h` is no longer working after 1 hour. The token lookup output shows the token details. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
$ vault token lookup s.abc123
Key                 Value
---                 -----
accessor            a.xyz789
creation_time       1712345678
expiration_time     1712355678
creation_ttl        2h
display_name        mytoken
entity_id           entity-uuid-123
meta                map[team:dev]
num_uses            0
orphan              true
path                auth/token/create
policies            [default my-policy]
renewable           true
type                service
```
Question 2hardmultiple choice
Full question →

An administrator runs the commands shown in the exhibit. Later, they run 'vault kv delete kv-v2/secret' and then 'vault kv undelete -versions=1 kv-v2/secret' to recover the secret. Which command must the administrator run to verify that the secret is now readable?

Exhibit

Refer to the exhibit.
```
$ vault secrets enable -path=kv-v2 kv-v2
$ vault kv put kv-v2/secret username=admin password=s3cret
$ vault kv get kv-v2/secret
====== Metadata ======
Key              Value
---              -----
created_time     2023-01-01T00:00:00Z
deletion_time    n/a
destroyed        false
version          1

====== Data ======
Key         Value
---         -----
password    s3cret
username    admin

$ vault kv metadata get kv-v2/secret
Key                 Value
---                 -----
cas_required        false
created_time        2023-01-01T00:00:00Z
current_version     1
custom_metadata     map[]
delete_version_after    0s
max_versions        0
oldest_version      0
updated_time        2023-01-01T00:00:00Z
```
Question 3mediummultiple choice
Full question →

Refer to the exhibit. A user deletes the current version of 'secret/myapp' using 'vault kv delete secret/myapp'. What happens to the version?

Exhibit

$ vault read secret/metadata/myapp
Key                 Value
---                 -----
cas_required        true
created_time        2023-01-01T00:00:00Z
current_version     1
delete_version_after 0s
max_versions        0
oldest_version      0
updated_time        2023-01-01T00:00:00Z
Question 4hardmultiple choice
Full question →

Refer to the exhibit. An operator wants the credential to be valid for exactly 2 hours. What should they do?

Exhibit

Key                Value
---                -----
lease_id           database/creds/readonly/xyz789
lease_duration     30m
lease_renewable    true
password           ...
username           ...
Question 5mediummultiple choice
Full question →

Refer to the exhibit. A user with this policy can successfully read credentials but cannot renew the lease. What is the missing capability?

Exhibit

path "database/creds/readonly" {
  capabilities = ["read"]
}
Question 6easymultiple choice
Full question →

Refer to the exhibit. What is the most likely cause of this error?

Exhibit

Error renewing lease: lease not found
Question 7easymultiple choice
Full question →

Based on the exhibit, what is the maximum total lifespan of this lease?

Exhibit

Refer to the exhibit.

```
$ vault lease lookup database/creds/readonly/abc123
Key                 Value
---                 -----
id                  database/creds/readonly/abc123
issue_time          2023-10-05T14:30:00Z
renewable           true
ttl                 30m
max_ttl             1h
```
Question 8mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A user with this policy attempts to read the secret at path "secret/data/team-a/admin". What will happen?

Exhibit

path "secret/data/team-a/*" {
  capabilities = ["read", "list"]
}
path "secret/data/team-a/admin" {
  capabilities = ["deny"]
}
Question 9hardmultiple choice
Full question →

Refer to the exhibit. An application needs to encrypt data using the transit engine with key "app-key". It currently has this policy. Which statement is true?

Exhibit

# Vault policy snippet
path "transit/encrypt/app-key" {
  capabilities = ["create", "update"]
}
path "transit/decrypt/app-key" {
  capabilities = ["create", "update"]
}
Question 10easymultiple choice
Full question →

Refer to the exhibit. A user with this policy tries to write a new secret to "secret/data/production/db". What will happen?

Exhibit

$ vault policy read my-policy
path "secret/data/production/*" {
  capabilities = ["read"]
}
path "secret/data/staging/*" {
  capabilities = ["create", "update"]
}
Question 11hardmultiple choice
Full question →

A developer runs the commands shown in the exhibit. After renewing the lease, the lease_duration remains 1 hour. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
$ vault read database/creds/my-role
Key                Value
---                -----
lease_id           database/creds/my-role/abc123...
lease_duration     1h
lease_renewable    true
password           ...
username           v-token-my-role-...

$ vault lease renew database/creds/my-role/abc123...
Key                Value
---                -----
lease_id           database/creds/my-role/abc123...
lease_duration     1h
lease_renewable    true
```
Question 12mediummultiple choice
Full question →

Based on the exhibit, what is the maximum lifetime of this token?

Exhibit

Refer to the exhibit.
```
$ vault token lookup
Key                 Value
---                 -----
accessor            abc123
expire_time         2025-06-01T12:00:00Z
id                  s.abcdefghijklmnop
issue_time          2025-05-01T12:00:00Z
meta                map[team:dev]
policies            [default devops]
renewable           true
ttl                 720h
type                service
```
Question 13easymultiple choice
Full question →

Refer to the exhibit. A token has this policy. Which action can the token perform?

Exhibit

```
path "secret/data/engineering/*" {
  capabilities = ["read", "list"]
}
path "secret/data/finance/*" {
  capabilities = ["create", "update"]
}
```
Question 14hardmultiple choice
Full question →

Refer to the exhibit. A user attempts to renew the token after 20 hours. What will happen?

Exhibit

```
$ vault token create -policy=my-policy -ttl=12h -explicit-max-ttl=24h
Key                  Value
---                  -----
token                s.f2g3h4j5k6l7
token_accessor       a1b2c3d4e5f6
token_duration       12h
token_renewable      true
token_policies       ["default" "my-policy"]
identity_policies    []
policies             ["default" "my-policy"]
```
Question 15mediummultiple choice
Full question →

Refer to the exhibit. An admin wants to ensure this token can be used for 60 hours total. Which action should be taken?

Exhibit

```
$ vault token lookup s.abc123
Key                 Value
---                 -----
accessor            a1b2c3d4e5f6
creation_time       1700000000
creation_ttl        24h
display_name        my-app
explicit_max_ttl    48h
expire_time         1700014400
id                  s.abc123
issue_time          1700000000
meta                map[service:app1]
num_uses            0
orphan              true
path                auth/token/create
policies            [default my-policy]
renewable           true
ttl                 24h
type                service
```

These VA-003 practice questions are part of Courseiva's free HashiCorp certification practice question bank. Courseiva provides original exam-style VA-003 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.