VA-003 · topic practice

Compare and configure secrets engines practice questions

Practise HashiCorp Vault Associate VA-003 Compare and configure secrets engines practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Compare and configure secrets engines

What the exam tests

What to know about Compare and configure secrets engines

Compare and configure secrets engines questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Compare and configure secrets engines exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Compare and configure secrets engines questions

20 questions · select your answer, then reveal the explanation

A DevOps team uses Vault to store database credentials via the database secrets engine. They notice that after the default lease duration, applications receive errors when trying to connect. The team wants to ensure that applications automatically renew leases before expiration. What should they do?

A security team wants to store static secrets like API keys in Vault. They need the secrets to be versioned and support rollback. Which secrets engine should they use?

An organization uses the AWS secrets engine to generate IAM users dynamically. They notice that the generated IAM user is not immediately available for use in AWS. What is the most likely reason?

A company is using the PKI secrets engine to issue certificates for internal services. They want to ensure that certificates are automatically revoked if a service is decommissioned. What should they implement?

A developer wants to use Vault to encrypt sensitive data before storing it in a database. They need to perform encryption and decryption operations without ever exposing the encryption key. Which secrets engine should they use?

A company has multiple Vault clusters in different regions. They want to use the replication feature to synchronise secrets across clusters. However, they want to exclude a specific secrets engine from replication for compliance reasons. What should they do?

An administrator configured the database secrets engine with PostgreSQL. When an application requests credentials, Vault returns a username and password. However, the application reports that the credentials are not working. What is the most likely cause?

Question 8easymultiple choice
Read the full NAT/PAT explanation →

A team wants to store configuration data such as feature flags in Vault. They need to be able to list all keys under a path. Which secrets engine supports listing?

Which TWO of the following are valid use cases for the Transit secrets engine? (Select exactly 2.)

Which THREE of the following are true about the KV v2 secrets engine? (Select exactly 3.)

Which TWO of the following are valid secrets engines in Vault? (Select exactly 2.)

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company runs a mixed environment of on-premises and cloud workloads. They use Vault Enterprise with performance replication across two data centers: primary in us-east and secondary in eu-west. The secrets engine configuration includes KV v2 for static secrets, database engine for PostgreSQL credentials, and transit for encryption. Recently, the operations team noticed that after a network partition between the data centers, the secondary cluster stopped serving read requests for database credentials, although other secrets like KV v2 were still accessible. The team confirmed that the replication status shows 'secondary' and the cluster is healthy. The Vault configuration uses a single replication path filter that includes all mounts. What is the most likely reason for the database credentials not being available on the secondary?

A SaaS startup uses Vault to manage secrets for their microservices architecture. They have enabled the KV v2 secrets engine at 'secret/' and the database secrets engine at 'database/'. Developers often need to read application configuration from 'secret/app/config' and database credentials from 'database/creds/app-role'. Recently, the security team mandated that all secrets must be encrypted at rest using Vault's seal mechanism. They configured Vault to use AWS KMS as the seal. After enabling the seal, they noticed that reading from 'secret/app/config' still works, but reading from 'database/creds/app-role' returns an error: 'Error making API request: Code: 500. Errors: * 1 error occurred: * failed to decrypt data'. What is the most likely cause?

A company uses Vault to manage database credentials for a production PostgreSQL cluster. The application team reports that dynamic credentials generated from the database secrets engine are being revoked before the application has finished using them. The Vault lease TTL is set to 1 hour, but the application workload sometimes runs for up to 2 hours. What is the MOST efficient way to ensure credentials remain valid for the full workload duration?

A DevOps team is configuring the AWS secrets engine to generate IAM users with dynamic credentials. They want to ensure that each Vault-generated IAM user is automatically deleted when its lease expires. Which TWO configuration steps are required to achieve this? (Choose two.)

An administrator runs the commands shown in the exhibit. Later, they run 'vault kv delete kv-v2/secret' and then 'vault kv undelete -versions=1 kv-v2/secret' to recover the secret. Which command must the administrator run to verify that the secret is now readable?

Exhibit

Refer to the exhibit.
```
$ vault secrets enable -path=kv-v2 kv-v2
$ vault kv put kv-v2/secret username=admin password=s3cret
$ vault kv get kv-v2/secret
====== Metadata ======
Key              Value
---              -----
created_time     2023-01-01T00:00:00Z
deletion_time    n/a
destroyed        false
version          1

====== Data ======
Key         Value
---         -----
password    s3cret
username    admin

$ vault kv metadata get kv-v2/secret
Key                 Value
---                 -----
cas_required        false
created_time        2023-01-01T00:00:00Z
current_version     1
custom_metadata     map[]
delete_version_after    0s
max_versions        0
oldest_version      0
updated_time        2023-01-01T00:00:00Z
```
Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A financial services company runs a microservices application on Kubernetes. Each service needs to authenticate to Vault using Kubernetes auth and then read secrets from a shared KV v2 engine mounted at 'shared-kv'. The security team requires that Service-A can only read secrets under 'shared-kv/team-alpha/*' and Service-B can only read secrets under 'shared-kv/team-beta/*'. The Vault administrator has already configured the Kubernetes auth method and created roles for each service with bound service account names. However, both services are currently able to read all paths under 'shared-kv/'. The administrator wants to enforce the least privilege access. Which course of action should the administrator take?

A company wants to securely store database credentials for a dynamic application that spins up new instances frequently. They need to ensure each instance gets a unique, time-limited username/password pair with minimal operational overhead. Which approach should they use?

Question 19hardmulti select
Read the full NAT/PAT explanation →

Which TWO of the following are valid methods to enable a secrets engine at a non-default path in Vault?

A DevOps engineer creates the configuration above. After testing, they notice that the generated database credentials are not being revoked after the TTL expires. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
$ vault secrets enable -path=postgres database
Success! Enabled the database secrets engine at: postgres/

$ vault write postgres/config/my-postgres-database \
    plugin_name=postgresql-database-plugin \
    allowed_roles="my-role" \
    connection_url="postgresql://{{username}}:{{password}}@localhost:5432/mydb" \
    username="admin" \
    password="password"
Success! Data written to: postgres/config/my-postgres-database

$ vault write postgres/roles/my-role \
    db_name=my-postgres-database \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
    default_ttl="1h" \
    max_ttl="24h"
Success! Data written to: postgres/roles/my-role
```

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Compare and configure secrets engines sessions

Start a Compare and configure secrets engines only practice session

Every question in these sessions is drawn from the Compare and configure secrets engines domain — nothing else.

Related practice questions

Related VA-003 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the VA-003 exam test about Compare and configure secrets engines?
Compare and configure secrets engines questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Compare and configure secrets engines questions in a focused session?
Yes — the session launcher on this page draws every question from the Compare and configure secrets engines domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other VA-003 topics?
Use the topic links above to move to related areas, or go back to the VA-003 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the VA-003 exam covers. They are not copied from any real exam or dump site.