- A
Remove the 'admin' policy from all human users and require them to use a different authentication method.
Why wrong: Removing admin policy would break legitimate administrative tasks; the issue is about token creation permissions, not admin policy.
- B
Implement a Sentinel policy that blocks token creation by any user except the CI/CD pipeline.
Why wrong: This would block legitimate admin users from creating tokens for emergencies and might break workflows.
- C
Create a dedicated token role with a max TTL of 720h (30 days) and restrict token creation to that role; revoke the 'admin' policy's create permission on auth/token/create.
This enforces a TTL limit on tokens and restricts who can create tokens, preventing unauthorized long-lived tokens.
- D
Reduce the system max lease TTL to 720h (30 days) and enforce that all tokens must have explicit_max_ttl set.
Why wrong: The system max lease TTL already is 30 days, but it does not constrain token creation TTL. Lowering it would affect existing leases and break applications.
Quick Answer
The correct answer is to create a dedicated token role with a max TTL of 720h (30 days) and restrict token creation to that role while revoking the admin policy’s create permission on auth/token/create. This directly addresses the root cause: the admin policy granted unrestricted token creation capabilities, allowing a human user to bypass the CI/CD pipeline and issue tokens with a 90-day TTL despite the system’s max lease TTL of 30 days. By enforcing token creation policies through a role with an explicit max TTL, you align token lifetimes with the Vault configuration’s maximum lease duration, preventing long-lived tokens without disrupting existing applications that use the pipeline. On the VA-003 exam, this scenario tests your understanding of how token roles override default and system max TTLs, and how policy restrictions on auth/token/create enforce least privilege. A common trap is assuming the system max lease TTL alone blocks longer tokens—it does not, because explicit_max_ttl on a token can override it. Memory tip: “Roles rule TTLs; policies gate creation.”
VA-003 Assess Vault tokens Practice Question
This VA-003 practice question tests your understanding of assess vault tokens. Examine the command output carefully: the correct answer depends on what the output actually shows, not on general recall alone. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A large enterprise runs Vault in a production environment with hundreds of applications. Each application uses a unique Vault token with a 30-day TTL. The tokens are created by a central CI/CD pipeline using Vault's token auth method. Recently, the security team noticed that several tokens with suspicious activity have been created with a 90-day TTL, and the tokens appear to be long-lived and not revoked after use. The CI/CD pipeline logs show no anomalies. The audit logs reveal that the tokens in question were created by a human user 'jdoe' using a token with the 'admin' policy. The 'admin' policy grants '*' capabilities on all paths. The Vault token accessor shows that the suspicious tokens have a 'creation_ttl' of 2160h (90 days) and 'explicit_max_ttl' of 0s. The Vault configuration uses a default lease TTL of 24h and a max lease TTL of 720h (30 days). Which action should the security team take to prevent such incidents in the future without breaking existing applications?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Create a dedicated token role with a max TTL of 720h (30 days) and restrict token creation to that role; revoke the 'admin' policy's create permission on auth/token/create.
Option C is correct because the root cause is that the 'admin' policy grants unrestricted token creation permissions, allowing a human user to bypass the intended CI/CD pipeline controls and create tokens with a 90-day TTL. By creating a dedicated token role with a max TTL of 720h (30 days) and revoking the 'admin' policy's create permission on 'auth/token/create', the team enforces a maximum TTL of 30 days for all tokens created via the token auth method, matching the system's max lease TTL and preventing long-lived tokens without breaking existing applications that use the CI/CD pipeline.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Remove the 'admin' policy from all human users and require them to use a different authentication method.
Why it's wrong here
Removing admin policy would break legitimate administrative tasks; the issue is about token creation permissions, not admin policy.
- ✗
Implement a Sentinel policy that blocks token creation by any user except the CI/CD pipeline.
Why it's wrong here
This would block legitimate admin users from creating tokens for emergencies and might break workflows.
- ✓
Create a dedicated token role with a max TTL of 720h (30 days) and restrict token creation to that role; revoke the 'admin' policy's create permission on auth/token/create.
Why this is correct
This enforces a TTL limit on tokens and restricts who can create tokens, preventing unauthorized long-lived tokens.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Reduce the system max lease TTL to 720h (30 days) and enforce that all tokens must have explicit_max_ttl set.
Why it's wrong here
The system max lease TTL already is 30 days, but it does not constrain token creation TTL. Lowering it would affect existing leases and break applications.
Common exam traps
Common exam trap: answer the scenario, not the keyword
HashiCorp often tests the misconception that reducing the system max lease TTL alone will prevent long-lived tokens, but the trap here is that tokens with 'explicit_max_ttl' set to 0s or tokens created via roles with higher max TTLs can bypass this limit, so the correct solution is to restrict token creation permissions and enforce TTLs at the role level.
Detailed technical explanation
How to think about this question
Under the hood, Vault's token creation honors the 'explicit_max_ttl' parameter, which overrides the system max lease TTL when set; a value of 0s means no explicit max TTL is set, so the token's TTL is limited only by the 'creation_ttl' and the system's max lease TTL. However, the 'admin' policy with '*' capabilities on 'auth/token/create' allows a user to set any 'creation_ttl' up to the system max lease TTL (720h), but the suspicious tokens had a 'creation_ttl' of 2160h (90 days), which exceeds the system max lease TTL—this indicates that the token was created using a different path or method that bypassed the system max lease TTL, such as using the 'auth/token/create-orphan' endpoint or a token role with a higher max TTL. In a real-world scenario, this often happens when human users with overly permissive policies create tokens directly via the API, ignoring the intended CI/CD pipeline controls, and the fix is to restrict token creation to specific roles with enforced TTL limits.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Assess Vault tokens — study guide chapter
Learn the concepts, then practise the questions
- →
Assess Vault tokens practice questions
Targeted practice on this topic area only
- →
All VA-003 questions
514 questions across all exam domains
- →
HashiCorp Vault Associate VA-003 study guide
Full concept coverage aligned to exam objectives
- →
VA-003 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related VA-003 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Compare authentication methods practice questions
Practise VA-003 questions linked to Compare authentication methods.
Assess Vault tokens practice questions
Practise VA-003 questions linked to Assess Vault tokens.
Create Vault policies practice questions
Practise VA-003 questions linked to Create Vault policies.
Manage Vault leases practice questions
Practise VA-003 questions linked to Manage Vault leases.
Compare and configure secrets engines practice questions
Practise VA-003 questions linked to Compare and configure secrets engines.
Utilize Vault CLI and API practice questions
Practise VA-003 questions linked to Utilize Vault CLI and API.
Explain Vault architecture practice questions
Practise VA-003 questions linked to Explain Vault architecture.
Explain encryption as a service practice questions
Practise VA-003 questions linked to Explain encryption as a service.
VA-003 fundamentals practice questions
Practise VA-003 questions linked to VA-003 fundamentals.
VA-003 scenario practice questions
Practise VA-003 questions linked to VA-003 scenario.
VA-003 troubleshooting practice questions
Practise VA-003 questions linked to VA-003 troubleshooting.
Practice this exam
Start a free VA-003 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this VA-003 question test?
Assess Vault tokens — This question tests Assess Vault tokens — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Create a dedicated token role with a max TTL of 720h (30 days) and restrict token creation to that role; revoke the 'admin' policy's create permission on auth/token/create. — Option C is correct because the root cause is that the 'admin' policy grants unrestricted token creation permissions, allowing a human user to bypass the intended CI/CD pipeline controls and create tokens with a 90-day TTL. By creating a dedicated token role with a max TTL of 720h (30 days) and revoking the 'admin' policy's create permission on 'auth/token/create', the team enforces a maximum TTL of 30 days for all tokens created via the token auth method, matching the system's max lease TTL and preventing long-lived tokens without breaking existing applications that use the CI/CD pipeline.
What should I do if I get this VA-003 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 30, 2026
This VA-003 practice question is part of Courseiva's free HashiCorp certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the VA-003 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.