VA-003 · topic practice

Utilize Vault CLI and API practice questions

Practise HashiCorp Vault Associate VA-003 Utilize Vault CLI and API practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Utilize Vault CLI and API

What the exam tests

What to know about Utilize Vault CLI and API

Utilize Vault CLI and API questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Utilize Vault CLI and API exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Utilize Vault CLI and API questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer needs to write a new secret to the KV v2 engine at path 'secret/data/team' with key 'api_key' and value 'abc123'. Which Vault CLI command achieves this?

An admin wants to list all enabled authentication methods using the Vault API. Which curl command is correct?

A user wants to log in using the userpass auth method with username 'jdoe' and password 'p@ssw0rd'. What is the correct API endpoint and request?

A security team needs to create a token with a custom TTL of 1 hour and associate it with a policy named 'read-only'. Which Vault CLI command accomplishes this?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

An operator wants to enable the AWS auth method at the default path. Which curl command is correct?

Which TWO of the following are valid methods to authenticate to Vault using the CLI?

Which THREE of the following are correct about using the Vault API to read a secret from KV v2 engine?

Refer to the exhibit. A developer ran the command and received the JSON output. Which command would retrieve only the value of 'api_key' in plain text?

Exhibit

$ vault read -format=json secret/data/team
{
  "data": {
    "data": {
      "api_key": "abc123"
    },
    "metadata": {
      "created_time": "2023-01-01T00:00:00Z",
      "deletion_time": "",
      "destroyed": false,
      "version": 1
    }
  }
}

Refer to the exhibit. A user has a token that has the 'default' policy attached. What actions can the user perform on 'secret/data/team'?

Exhibit

$ vault policy list
admin-policy
default
readonly
$ vault token capabilities secret/data/team
read, list
$ vault token capabilities -policy=readonly secret/data/team
read, list
$ vault token capabilities -policy=admin-policy secret/data/team
create, read, update, delete, list

You are a Vault administrator for a large organization. Your team uses a centralized Vault cluster with multiple auth methods enabled, including userpass, LDAP, and approle. Recently, a developer reported that they are unable to authenticate using their userpass credentials, receiving the error 'permission denied'. The developer confirms the username and password are correct. Other developers using userpass can authenticate successfully. The Vault audit logs show that the authentication request for this developer is reaching Vault but failing with 'invalid password'. You have verified that the password is correct by resetting it via the Vault CLI. The developer's userpass entry exists and is not disabled. Which of the following is the most likely cause and correct course of action?

Which TWO of the following Vault CLI commands can be used to write data to Vault?

Question 12easymultiple choice
Read the full NAT/PAT explanation →

A DevOps engineer is tasked with automating the rotation of a static secret stored in Vault's KV secrets engine (version 2). The secret is currently stored at path 'secret/data/app/config' with keys 'username' and 'password'. The engineer wants to update the 'password' key using the Vault CLI from a CI/CD pipeline. The pipeline uses a token with a policy that grants 'create', 'update', and 'read' capabilities on 'secret/data/app/*'. Which CLI command should the engineer use to update only the 'password' key, leaving other keys unchanged?

A DevOps engineer is troubleshooting a Vault CLI command that is failing with the error 'Error writing data: Error making API request'. The engineer has verified that the Vault token is valid and unexpired. Which of the following is the most likely cause of this error?

A company uses Vault to manage secrets for multiple applications. A new security policy requires that all human users authenticate using LDAP and that all machine-to-machine authentication uses AppRole. An administrator has configured an LDAP auth method at 'ldap/' and an AppRole at 'approle/'. The administrator creates a role 'web-app' with a secret ID TTL of 30 days and a token TTL of 1 hour. After deploying the web application, the application successfully logs in using the AppRole role ID and secret ID, retrieves a token, and reads secrets. However, after 1 hour, the application begins receiving 'permission denied' errors when trying to read secrets. The application logs show that it is using the same token obtained during initial login. Which action should the administrator take to resolve this issue?

Drag and drop the steps to set up Vault's Transit secrets engine for encryption/decryption into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Vault policy capability to its permission.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Allow creating data at a path

Allow reading data at a path

Allow modifying existing data

Allow deleting data

Allow listing keys

A developer wants to authenticate to Vault using LDAP credentials. Which CLI command should they use?

An operator needs to create a token role named 'web-app' with a default TTL of 24 hours. Which API request is correct?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A user receives 'permission denied' when running 'vault write secret/data/myapp value=123'. The user's token has a policy that includes 'path "secret/data/*" { capabilities = ["read", "list"] }'. What is the most likely cause?

A team wants to retrieve a dynamic database credential from Vault. Which CLI command should be used?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Utilize Vault CLI and API sessions

Start a Utilize Vault CLI and API only practice session

Every question in these sessions is drawn from the Utilize Vault CLI and API domain — nothing else.

Related practice questions

Related VA-003 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the VA-003 exam test about Utilize Vault CLI and API?
Utilize Vault CLI and API questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Utilize Vault CLI and API questions in a focused session?
Yes — the session launcher on this page draws every question from the Utilize Vault CLI and API domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other VA-003 topics?
Use the topic links above to move to related areas, or go back to the VA-003 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the VA-003 exam covers. They are not copied from any real exam or dump site.