CCNA Vault Leases Questions

47 questions · Vault Leases topic · All types, answers revealed

1
Multi-Selectmedium

An admin wants to view all active leases for a specific secrets engine path. Which two approaches are valid? (Choose two.)

Select 2 answers
A.vault write sys/leases/list lease_id=<mount_path>
B.vault list sys/leases/lookup/<mount_path>
C.vault list sys/leases/prefix/<mount_path>
D.vault lease list -prefix <mount_path>
E.vault read sys/leases/list/<mount_path>
AnswersB, C

This path lists lease IDs for the given mount.

Why this answer

Both `vault list sys/leases/lookup/<mount_path>` and `vault list sys/leases/prefix/<mount_path>` are valid paths to list leases under a mount or prefix. Option C is not a real command. Option D uses an incorrect path.

Option E is incorrect because you cannot write to list.

2
MCQmedium

A Vault operator accidentally revoked a token that was used to lease many database credentials. What happens to the leases associated with that token?

A.All leases are immediately revoked.
B.The leases become orphaned and will never be revoked.
C.Vault automatically renews the leases with a new token.
D.The leases continue until their natural expiration.
AnswerA

Token revocation revokes all associated leases.

Why this answer

In Vault, tokens are the root of identity and authorization for all associated leases. When a token is revoked, Vault immediately revokes all leases created using that token, including database credential leases, because the token's lifecycle governs the leases it has created. This ensures that no credentials remain valid after the token is revoked, maintaining security.

Exam trap

HashiCorp often tests the misconception that leases have independent lifetimes or that Vault might orphan or auto-renew leases, when in fact the token's revocation is the authoritative trigger for immediate lease cleanup.

How to eliminate wrong answers

Option B is wrong because Vault does not orphan leases; it actively tracks the parent token for each lease and revokes them when the token is revoked. Option C is wrong because Vault does not automatically renew leases with a new token; lease renewal requires the original token or a token with sufficient privileges, and revocation is a terminal action. Option D is wrong because leases are tied to the token's lifecycle, not independent; they do not continue to natural expiration once the token is revoked.

3
MCQmedium

An application uses Vault's KV v2 secrets engine to read a static secret (e.g., API key) at path 'secret/data/myapp/config'. The application initially reads the secret and uses the returned lease_id to successfully renew the lease every hour. After a maintenance window, the application starts failing to renew the lease, receiving an error that the lease is not renewable or does not exist. The secret data is still present and accessible via a new read. What is the most likely cause of this failure?

A.The token used to renew the lease has expired.
B.The secret was deleted and recreated under the same path.
C.The KV v2 engine was disabled and re-enabled.
D.The lease expired during the maintenance window because the application did not renew it on time.
AnswerD

If the lease TTL passes without renewal, the lease is marked expired and can no longer be renewed; a fresh read is required.

Why this answer

KV v2 secrets engine supports lease renewal for static secrets, but if the lease expires (the renewal interval was missed), the lease becomes invalid and cannot be renewed. The application must perform a fresh read to obtain a new lease. Option C correctly identifies that the lease has already expired.

Option A is plausible but lease expiration is more common than token expiry in this context. Option B would cause read failures, not just renewal failures. Option D would affect reads altogether, which is not happening.

4
Multi-Selectmedium

A Vault operator wants to manage lease durations for secrets issued by a PKI secrets engine. Which two actions can they take to affect the lease duration of certificates?

Select 2 answers
A.Set the 'default_lease_ttl' on the auth method used to log in.
B.Set the 'max_lease_ttl' on the auth method used to log in.
C.Configure the 'ttl' parameter in the PKI role definition.
D.Set the 'lease_duration' parameter in the PKI role definition.
E.Set the 'default_lease_ttl' on the PKI secrets engine mount.
AnswersC, E

The 'ttl' parameter in a PKI role overrides the mount's default lease TTL for certificates issued by that role.

Why this answer

Options B and D are correct. Setting the default lease TTL on the mount and configuring the 'ttl' parameter in the role both directly impact certificate lease durations. Option A is incorrect because the 'max_lease_ttl' on the auth method does not affect secrets engine leases.

Option C is incorrect because 'default_lease_ttl' on the auth method also does not affect secrets engine leases. Option E is incorrect because the 'lease_duration' parameter is not a valid parameter for PKI roles.

5
Multi-Selectmedium

Which of the following factors determine the actual TTL of a lease issued by a secrets engine? (Choose three.)

Select 3 answers
A.The system's max_lease_ttl configuration
B.The requesting token's TTL
C.The role's default_ttl
D.The backend's rotation period
E.The role's max_ttl
AnswersA, C, E

Global maximum TTL for all leases.

Why this answer

The lease's actual TTL is influenced by the role's default_ttl (initial TTL), the role's max_ttl (maximum allowed total TTL), and the system's max_lease_ttl configuration (global cap). The requesting token's TTL does not directly impact lease TTL. The rotation period is for password rotation, not lease duration.

6
MCQhard

A DevOps team uses Vault dynamic secrets for database credentials with a lease of 1 hour. They notice that applications are making excessive calls to renew leases, causing performance issues. The team wants to reduce the renewal frequency while maintaining security. What is the best approach?

A.Increase the default lease TTL to 8 hours and configure periodic tokens with a short TTL.
B.Remove the TTL entirely so that credentials never expire.
C.Decrease the default lease TTL from 1 hour to 30 minutes.
D.Increase the maximum TTL for the role to 24 hours.
AnswerA

A longer lease reduces renewal frequency, and periodic tokens ensure the overall lifetime is bounded.

Why this answer

Option A is correct because increasing the default lease TTL to 8 hours reduces the frequency of lease renewals, directly addressing the performance issue. Configuring periodic tokens with a short TTL ensures that the token itself still rotates frequently, maintaining security by limiting the window of exposure if a token is compromised. This balances reduced renewal overhead with strong security posture.

Exam trap

HashiCorp often tests the distinction between lease TTL and token TTL, and the trap here is that candidates mistakenly think increasing the maximum TTL (option D) will reduce renewal frequency, when in fact it only sets a ceiling and does not change the actual lease duration.

How to eliminate wrong answers

Option B is wrong because removing the TTL entirely (setting credentials to never expire) violates the principle of dynamic secrets and creates a permanent security risk, as compromised credentials would remain valid indefinitely. Option C is wrong because decreasing the default lease TTL to 30 minutes would increase the renewal frequency, worsening the performance issue rather than solving it. Option D is wrong because increasing the maximum TTL for the role to 24 hours only sets an upper bound; it does not change the actual lease duration (which remains at 1 hour) and thus does not reduce renewal calls.

7
MCQhard

A company uses Vault to manage SSH OTP credentials. They set the role with default_ttl=5m and max_ttl=30m. Users report that they receive an error when trying to renew the OTP after 10 minutes. What is the most likely reason?

A.The OTP key is only valid for one-time use and cannot be renewed.
B.The renewable flag is set to false on the role.
C.The user's token does not have permission to renew leases.
D.The max_ttl of 30m is reached, but the OTP has already been used.
AnswerA

SSH OTPs are consumed on use and cannot be renewed.

Why this answer

Vault SSH OTP credentials are designed for one-time use: the OTP is generated, used to authenticate an SSH session, and then immediately invalidated. Once the OTP has been used, it cannot be renewed because the lease is tied to a credential that has already been consumed. The error after 10 minutes occurs because the OTP was used within that window, making renewal impossible regardless of TTL settings.

Exam trap

HashiCorp often tests the misconception that lease renewal is always possible as long as the TTL has not expired, but for one-time credentials like SSH OTP, the lease becomes non-renewable immediately after the credential is used.

How to eliminate wrong answers

Option B is wrong because the `renewable` flag on a Vault role controls whether the lease can be renewed before the credential is used, but SSH OTP credentials are inherently non-renewable after use due to their one-time nature; even if the flag were true, renewal would fail after the OTP is consumed. Option C is wrong because the error is not about token permissions—the user's token may have full renewal permissions, but the lease itself becomes invalid once the OTP is used. Option D is wrong because the max_ttl of 30m is not reached at 10 minutes; the issue is that the OTP has already been used, not that the TTL limit has been exceeded.

8
MCQhard

An administrator notices that after revoking a specific lease, the underlying database credential is still accessible. What is the most likely cause?

A.The revocation script failed to delete the database user.
B.The secret engine caches credentials.
C.The lease ID was incorrect.
D.The lease was renewed after revocation.
AnswerA

If the revocation script fails, the credential remains despite lease revocation.

Why this answer

Option A is correct because when a lease is revoked in Vault, the revocation script associated with the database secret engine is responsible for deleting or disabling the corresponding database user. If that script fails (e.g., due to insufficient permissions, network issues, or a bug in the script), the underlying credential remains active in the database, even though the lease is no longer valid in Vault. This is a common operational issue where the lease lifecycle and the actual credential lifecycle become out of sync.

Exam trap

HashiCorp often tests the misconception that lease revocation automatically guarantees the underlying resource is destroyed, but the trap is that revocation only manages the Vault-side lease metadata, not the external resource, which depends on the success of the configured revocation script.

How to eliminate wrong answers

Option B is wrong because Vault's database secret engine does not cache credentials; each lease corresponds to a unique database user created dynamically, and revocation directly invokes the script to remove that user. Option C is wrong because if the lease ID were incorrect, Vault would return an error or not find the lease, but the question states the lease was successfully revoked, meaning the lease ID was valid. Option D is wrong because once a lease is revoked, it cannot be renewed; renewal is only possible before revocation, and attempting to renew after revocation would fail.

9
Multi-Selecthard

Which three statements about lease renewal are correct? (Choose three.)

Select 3 answers
A.A lease can be renewed indefinitely.
B.Renewing a lease increments the lease number.
C.A lease can be renewed up to the max_lease_ttl.
D.Lease renewal requires 'sudo' capability.
E.The renew operation can extend the lease TTL.
AnswersB, C, E

Each renewal increases the lease number, visible in lease details.

Why this answer

Option B is correct because in Vault, each lease renewal increments the lease number (a monotonically increasing counter) to track the renewal history. This allows clients and Vault to detect replay attacks or stale renewals, as the lease ID remains the same but the lease number changes with each successful renew operation.

Exam trap

HashiCorp often tests the misconception that lease renewal is unlimited or requires elevated privileges, when in fact it is bounded by max_lease_ttl and only needs the lease ID and appropriate token capabilities.

10
Multi-Selectmedium

Which two commands can be used to manually revoke leases? (Choose two.)

Select 2 answers
A.vault secrets disable <path>
B.vault token revoke <token>
C.vault lease revoke <lease_id>
D.vault lease renew <lease_id>
E.vault lease revoke -prefix <prefix>
AnswersC, E

This revokes a specific lease.

Why this answer

Both 'vault lease revoke <lease_id>' and 'vault lease revoke -prefix <prefix>' are valid commands for manually revoking leases. Other options either renew, disable the entire mount, or revoke tokens.

11
MCQhard

After a Vault migration, some leases are no longer valid and cause errors. What is the best way to force a cleanup of all leases under a specific mount without affecting other mounts?

A.Restart Vault servers
B.Disable and re-enable the secret engine
C.Use vault lease revoke -prefix <mount>
D.Reduce the mount's max_lease_ttl to 0
AnswerC

This revokes all leases under the given mount prefix.

Why this answer

Using 'vault lease revoke -prefix <mount>' revokes all leases under that prefix, effectively cleaning them up without disabling the engine.

12
MCQeasy

What happens when a lease reaches its TTL?

A.The lease is marked as expired and can no longer be renewed.
B.The lease is automatically renewed.
C.The secret is automatically revoked.
D.The lease is deleted from storage.
AnswerD

Upon expiration, the lease is eventually garbage-collected, but immediate effect is expiration.

Why this answer

When a lease reaches its TTL, it expires and cannot be renewed. The secret may still exist but Vault will not extend the lease.

13
MCQhard

Refer to the exhibit. An operator wants the credential to be valid for exactly 2 hours. What should they do?

A.Increase the mount's max_lease_ttl to 2h.
B.Renew the lease with a TTL of 2h.
C.Increase the role's max_ttl to 2h.
D.Request a new credential with a TTL of 2h.
AnswerC

This allows renewals up to 2h, enabling the desired lifetime.

Why this answer

To allow a 2-hour total lifetime, the role's max_ttl must be at least 2h. The current lease TTL is 30m but can be renewed up to the role's max_ttl. Simply renewing with 2h TTL will fail if max_ttl is lower.

Increasing mount's max_lease_ttl does not change the role's maximum. Requesting a new credential does not have a direct TTL parameter.

14
MCQhard

An organization uses Vault to issue certificates via the PKI secrets engine. They have set the default lease TTL on the PKI mount to 72h, and the role's ttl to 24h. A user requests a certificate with a requested TTL of 48h. What will be the actual TTL of the issued certificate?

A.The request will be rejected because the requested TTL exceeds the role's ttl.
B.48h
C.24h
D.72h
AnswerC

The role's ttl is the effective TTL when it is lower than the mount default.

Why this answer

The correct answer is C (24h) because when a certificate request is made, Vault applies the most restrictive TTL among the role's configured `ttl`, the mount's default lease TTL, and the requested TTL. Here, the role's `ttl` of 24h is the shortest, so it overrides both the requested 48h and the mount default of 72h, resulting in a certificate with a 24-hour validity.

Exam trap

The trap here is that candidates often assume the requested TTL is honored as long as it is within the mount's default lease TTL, overlooking that the role's ttl is the authoritative cap and that Vault silently truncates rather than rejects the request.

How to eliminate wrong answers

Option A is wrong because the requested TTL of 48h does not exceed the role's ttl of 24h; it exceeds it, but Vault does not reject the request—it silently caps the TTL to the role's maximum. Option B is wrong because Vault does not honor a requested TTL that is longer than the role's configured ttl; the role's ttl acts as a hard upper limit. Option D is wrong because the mount's default lease TTL of 72h is a system-wide fallback, not a per-role cap; the role's ttl takes precedence over the mount default when it is shorter.

15
Multi-Selectmedium

A Vault administrator needs to manage leases for dynamic secrets. Which TWO of the following are valid operations related to lease management?

Select 2 answers
A.Call the sys/leases/renew endpoint to renew a lease.
B.Call the sys/leases/list endpoint to disable a lease.
C.Call the sys/leases/revoke endpoint to revoke a lease.
D.Call the sys/leases/extend endpoint to increase the lease duration.
E.Call the sys/leases/rotate endpoint to rotate the secret associated with a lease.
AnswersA, C

Correct operation to renew a lease.

Why this answer

Option A is correct because the `sys/leases/renew` endpoint is the standard Vault API endpoint used to renew the lease of a dynamic secret, extending its time-to-live (TTL) within the maximum allowed limit. Option C is correct because the `sys/leases/revoke` endpoint is the designated API endpoint to immediately invalidate a lease and its associated secret, preventing further use and cleaning up the secret engine's state.

Exam trap

HashiCorp often tests the misconception that lease management endpoints have intuitive names like 'extend' or 'rotate', when in fact Vault uses only three core lease operations: renew, revoke, and list (with no dedicated extend or rotate endpoints).

16
MCQmedium

A security policy requires that all leases must be revoked within 1 hour of creation. Which setting should be configured on the secret engine mount?

A.default_lease_ttl = 1h
B.token_ttl = 1h
C.max_lease_ttl = 1h
D.default_lease_ttl = 1h and max_lease_ttl = 1h
AnswerD

This combination caps the lease at 1h and ensures initial TTL is 1h.

Why this answer

Setting both default_lease_ttl and max_lease_ttl to 1h ensures that secrets are issued with a 1h TTL and cannot be renewed beyond that.

17
MCQeasy

A company runs a microservices architecture where each service authenticates to Vault using AppRole and is assigned a role with a periodic token. The operations team notices that some services experience authentication failures after exactly 24 hours of uptime, even though their tokens were initially issued with a TTL of 24 hours and 'renewable' set to true. The services are configured to renew their tokens automatically before expiry. Upon investigation, the Vault logs show the error: 'failed to renew token: token has exceeded its max TTL'. The Vault server is configured with a default 'max_lease_ttl' of 24 hours and a 'default_lease_ttl' of 1 hour at the system level. The AppRole role has no explicit TTL or max TTL set. What is the most likely cause of the failure?

A.The token's lease duration is actually 1 hour (the default) and the services fail to renew before expiry.
B.The AppRole role has an implicit max TTL of 0, which prevents any renewal after the initial TTL.
C.The services are not renewing their tokens because the 'renewable' flag is ignored by periodic tokens.
D.The periodic token's max TTL is set by the system's 'max_lease_ttl' of 24 hours, and once that time is reached, renewal is no longer allowed.
AnswerD

Periodic tokens have a max TTL equal to the system's 'max_lease_ttl' unless overridden on the role. Here, 24 hours elapsed, hitting the limit.

Why this answer

Option A is correct because the periodic token's max TTL is determined by the system's 'max_lease_ttl' (24h), and when the token reaches that limit, renewal is impossible even if the token is periodic. Option B is wrong because the token's renewable flag is true; renewal attempts are made but fail due to max TTL. Option C is wrong because the services are correctly configured to renew; the issue is max TTL exhaustion.

Option D is wrong because the token lease duration is not expiring; the tokens are being renewed until they hit max TTL.

18
MCQeasy

A development team is using Vault to dynamically generate PostgreSQL credentials for their application. They configured a database role with a max_lease_ttl of 24 hours. However, credentials are becoming invalid after only 1 hour, causing application errors. The team has verified that the credentials are not being explicitly revoked. Which action should the Vault administrator take to resolve this issue?

A.Extend the TTL of the token used to generate credentials.
B.Update the database role's default_lease_ttl to 24 hours.
C.Increase the database engine's max_lease_ttl to 48 hours.
D.Instruct the team to renew the lease every 30 minutes.
AnswerB

The default_lease_ttl controls the initial lease duration; increasing it to match the max prevents early expiration.

Why this answer

The issue is that the default_lease_ttl on the database role is set to 1 hour, which causes credentials to expire before the max_lease_ttl. Adjusting the default_lease_ttl to match the desired lease duration allows credentials to last longer, up to the max_lease_ttl. Option A is correct because it directly addresses the discrepancy between the default and maximum TTLs.

Option B is wrong because the max_lease_ttl is already 24 hours and not the cause. Option C is wrong because renewing does not change the underlying TTL configuration. Option D is wrong because the token TTL does not affect the credential lease TTL.

19
MCQeasy

Refer to the exhibit. What is the most likely cause of this error?

A.The token lacks permission.
B.The secret engine was disabled.
C.The lease ID is incorrect.
D.The lease has expired.
AnswerC

An incorrect lease ID will result in 'lease not found'.

Why this answer

The 'lease not found' error typically indicates that the lease has expired and been removed from Vault's storage. The lease ID may be incorrect, but if the user copied it correctly, expiration is more common.

20
MCQmedium

A DevOps team is using Vault's database secrets engine to generate dynamic credentials for a PostgreSQL database. They notice that the lease duration is set to 24 hours, but security policy requires that credentials expire after 1 hour. What should the team do to enforce the 1-hour expiration without changing the default lease TTL for all secrets?

A.Set the mount's max_lease_ttl to 1h.
B.Ask each developer to set the TTL when requesting credentials.
C.Configure the role with a ttl of 1h.
D.Use a periodic token with a period of 1h.
AnswerC

The role-level ttl overrides the default lease TTL.

Why this answer

Option C is correct because the database secrets engine allows role-level TTL configuration that overrides the default lease duration for credentials generated from that role. By setting the role's `ttl` to 1h, the team enforces a 1-hour expiration for credentials created under that specific role without affecting the default lease TTL for all secrets or other roles. This directly meets the security policy requirement while maintaining flexibility for other secrets.

Exam trap

The trap here is that candidates often confuse mount-level TTL settings with role-level TTL settings, assuming that changing the mount's `max_lease_ttl` is the only way to enforce expiration, when in fact role-level configuration provides granular control without affecting other secrets.

How to eliminate wrong answers

Option A is wrong because setting the mount's `max_lease_ttl` to 1h would enforce a hard upper limit on all secrets generated from that mount, including other roles or engines, which violates the requirement to not change the default lease TTL for all secrets. Option B is wrong because relying on each developer to set the TTL when requesting credentials is error-prone and does not enforce the policy centrally; developers might forget or intentionally set a longer TTL, leading to non-compliance. Option D is wrong because periodic tokens are used for long-lived tokens that automatically renew, not for database credentials; they do not control the TTL of dynamic credentials generated by the database secrets engine.

21
MCQeasy

A developer requests a credential from this role. Which statement about the resulting lease is true?

A.The lease will have a TTL of 24 hours and can be renewed.
B.The lease will have a TTL of 1 hour and can be renewed.
C.The lease will have a TTL of 1 hour and cannot be renewed.
D.The lease will have a TTL of 24 hours and cannot be renewed.
AnswerC

The default_ttl sets the initial TTL, and renewable=false prevents renewal.

Why this answer

The role has default_ttl=1h and renewable=false, so the lease will have an initial TTL of 1 hour and cannot be renewed. The max_ttl of 24h is irrelevant because renewal is disabled. Option C is correct.

22
MCQeasy

Which of the following commands would force a lease to expire immediately?

A.vault lease renew -increment=0 <lease_id>
B.vault lease revoke <lease_id>
C.vault lease expire <lease_id>
D.vault write sys/leases/revoke-lease lease_id=<lease_id>
AnswerD

This writes to the revoke-lease endpoint, which immediately revokes the lease.

Why this answer

Option D is correct because the endpoint `sys/leases/revoke-lease` immediately revokes the lease, forcing it to expire right away. This is the proper API path to force an immediate lease expiration, as opposed to a gradual or deferred revocation.

Exam trap

HashiCorp often tests the distinction between standard revocation (`vault lease revoke`) and immediate forced expiration (`sys/leases/revoke-lease`), expecting candidates to know the exact API path for immediate lease termination.

How to eliminate wrong answers

Option A is wrong because `vault lease renew -increment=0` attempts to renew a lease with zero increment, which is not a valid operation and does not force expiration; it may even extend the lease if the increment is ignored. Option B is wrong because `vault lease revoke` performs a standard revocation that may not be immediate if the lease has a grace period or if the secret engine defers revocation; it does not guarantee instant expiration. Option C is wrong because `vault lease expire` is not a valid Vault CLI command; there is no such subcommand in the Vault CLI.

23
MCQeasy

Based on the exhibit, what is the maximum total lifespan of this lease?

A.2 hours
B.90 minutes
C.1 hour
D.30 minutes
AnswerC

The max_ttl indicates the maximum total lifespan.

Why this answer

The max_ttl field shows 1h, which is the maximum total time the lease can exist from its issue time, including all renewals. The current ttl of 30m is the remaining time if not renewed, but the lease can be renewed up to the max_ttl of 1 hour. Option B is correct.

24
MCQhard

A large enterprise runs Vault in a production environment with multiple secrets engines, including databases, AWS, and PKI. Recently, the operations team noticed that the number of active leases has grown significantly, causing performance degradation in Vault. The team suspects that many leases are orphaned or expired but not cleaned up. They run the vault lease tidy command regularly, but the issue persists. The vault audit logs show no errors during revocation. However, the team observes that the database credentials are being revoked correctly, but the PKI certificates are not being revoked when their leases expire. Additionally, some AWS IAM user leases seem to persist beyond their max TTL. What is the most likely cause of this issue?

A.The max_ttl setting for the PKI and AWS roles is set incorrectly.
B.The vault lease tidy command is not effective for PKI and AWS secrets engines.
C.The PKI and AWS secrets engines require explicit revocation of the underlying secret, which is not triggered by lease expiration alone.
D.The Vault server's clock is out of sync, causing lease expiration calculations to be inaccurate.
AnswerC

Lease expiration does not automatically revoke certificates or IAM users; explicit revocation is needed.

Why this answer

For some secrets engines like PKI and AWS, lease expiration does not automatically revoke the underlying secret (certificate or IAM user). The revocation must be explicitly triggered by a revoke operation or by the backend's cleanup routines. The tidy operation only cleans up lease metadata, not the actual secrets.

Therefore, even if leases expire, the certificates and IAM users remain. Option B correctly identifies this. Option A is false because tidy is effective for metadata but does not trigger revocation for all backends.

Option C is possible but not the root cause if max_ttl is correctly set. Option D is unlikely given that database revocations work correctly.

25
MCQmedium

A company uses Vault to manage database credentials for its applications. The applications request a one-hour TTL for database secrets, but the database engine's default lease TTL is set to 24 hours. The Vault administrator wants to ensure that leases are revoked promptly after the applications finish using them, to minimize the window of exposure. Which approach best achieves this goal?

A.Set the default lease TTL on the database mount to 1 hour.
B.Configure the database role with a TTL of 1 hour and an explicit max TTL of 2 hours.
C.Increase the system's default lease TTL to 48 hours to give applications more flexibility.
D.Manually revoke leases after each application finishes using them.
AnswerB

This ensures each lease expires after 1 hour, and the explicit max TTL prevents any renewal beyond 2 hours, minimizing exposure.

Why this answer

Option B is correct because configuring the database role with a TTL of 1 hour and an explicit max TTL of 2 hours allows the application to request a 1-hour lease while ensuring that the lease cannot exceed 2 hours, even if the application fails to renew or release it. This minimizes the exposure window by capping the lease duration, and the Vault administrator can rely on automatic lease revocation at TTL expiry rather than manual intervention. The database engine's default lease TTL of 24 hours is overridden by the role-level TTL, which is the proper way to enforce shorter-lived credentials for specific applications.

Exam trap

The trap here is that candidates often confuse the mount-level default lease TTL with the role-level TTL, assuming that changing the mount default is sufficient, when in fact the role-level TTL and explicit max TTL are required to enforce a strict upper bound on credential lifetime.

How to eliminate wrong answers

Option A is wrong because setting the default lease TTL on the database mount to 1 hour would affect all roles and secrets under that mount, potentially breaking applications that need longer leases, and it does not provide a separate max TTL to cap the absolute lifetime. Option C is wrong because increasing the system's default lease TTL to 48 hours would make the exposure window even larger, directly contradicting the goal of minimizing it. Option D is wrong because manually revoking leases is impractical, error-prone, and does not scale; Vault is designed to automate lease lifecycle management via TTLs and revocation on expiry.

26
MCQmedium

A company runs a microservices application on Kubernetes. Each service authenticates to Vault using the Kubernetes auth method and obtains a short-lived token with a TTL of 15 minutes. The services use these tokens to read secrets from the KV v2 secrets engine. Recently, the operations team noticed that Vault's lease count has been steadily increasing, and some services are experiencing 'lease not found' errors when trying to renew their tokens. Investigation reveals that the services are not renewing tokens before they expire because the token TTL is too short to complete some long-running tasks. The team wants to fix the issue without compromising security. They are considering the following actions: A. Increase the default lease TTL for the KV v2 mount to 1 hour. B. Increase the token TTL for the Kubernetes auth role to 1 hour. C. Implement a renewal loop in each service to renew tokens every 10 minutes. D. Use periodic tokens with a period of 1 hour for all services.

A.Increase the default lease TTL for the KV v2 mount to 1 hour.
B.Increase the token TTL for the Kubernetes auth role to 1 hour.
C.Implement a renewal loop in each service to renew tokens every 10 minutes.
D.Use periodic tokens with a period of 1 hour for all services.
AnswerB

Token TTL directly addresses the token expiration issue.

Why this answer

Option B is correct because increasing the token TTL for the Kubernetes auth role to 1 hour directly addresses the root cause: the current 15-minute TTL is too short for long-running tasks, causing tokens to expire before services can complete their work. By raising the TTL to 1 hour, services have sufficient time to complete tasks and renew tokens, while still maintaining security through short-lived credentials. This approach does not require code changes and leverages Vault's built-in token lifecycle management.

Exam trap

HashiCorp often tests the distinction between token TTL and secret lease TTL, and the trap here is that candidates confuse increasing the KV v2 mount's default lease TTL (Option A) with increasing the token TTL, when only the latter resolves token expiration issues for long-running tasks.

How to eliminate wrong answers

Option A is wrong because increasing the default lease TTL for the KV v2 mount affects the lease duration of secrets read from the mount, not the token TTL itself; the 'lease not found' errors are due to token expiration, not secret lease expiration. Option C is wrong because implementing a renewal loop in each service does not fix the underlying issue that the token TTL is too short for long-running tasks; even with renewal, if a task exceeds the TTL without renewal, the token will expire, and adding renewal logic increases complexity without addressing the root cause. Option D is wrong because periodic tokens are designed for long-lived daemons or services that need indefinite token lifetimes, which would compromise security by removing the short-lived nature of tokens, contrary to the requirement to fix the issue without compromising security.

27
MCQeasy

An admin needs to check the remaining lifespan of a lease. Which command should they use?

A.vault read sys/leases/lookup/<lease_id>
B.vault lease list <lease_id>
C.vault lease lookup <lease_id>
D.vault lease renew -increment=0 <lease_id>
AnswerC

This command shows the lease details including remaining TTL.

Why this answer

The `vault lease lookup` command displays lease details including remaining TTL. Option D is correct. Option A reads from sys/leases/lookup but that path is for listing leases, not a single lease.

Option B lists leases, not checks a specific lease. Option C with -increment=0 would attempt a renewal, not a lookup.

28
MCQhard

A developer runs the commands shown in the exhibit. After renewing the lease, the lease_duration remains 1 hour. What is the most likely reason?

A.The lease is not renewable.
B.The mount's max_lease_ttl is set to 1h.
C.The developer does not have permission to renew the lease.
D.The role's max_ttl is set to 1h.
AnswerD

The role max_ttl caps the lease duration.

Why this answer

Option D is correct because the role's max_ttl overrides the lease duration when it is shorter than the requested TTL. Even if the lease is renewed, the effective TTL cannot exceed the role's max_ttl, which is set to 1 hour. This is a common Vault behavior where the role's maximum TTL acts as a hard cap on lease lifetimes.

Exam trap

HashiCorp often tests the distinction between role-level and mount-level TTL limits, trapping candidates who assume the mount's max_lease_ttl is the sole constraint when a lower role max_ttl is configured.

How to eliminate wrong answers

Option A is wrong because Vault leases are inherently renewable unless explicitly configured otherwise; the question states the lease was renewed, so it is renewable. Option B is wrong because the mount's max_lease_ttl is a system-wide limit, but the role's max_ttl is a more specific constraint that takes precedence when it is lower. Option C is wrong because the developer successfully renewed the lease, which requires permission to renew; if permission were lacking, the renewal would fail entirely.

29
Matchingmedium

Match each Vault term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypted state requiring unseal

Decrypt master key to access data

Encryption layer protecting storage

Key splitting for unseal

Superuser token with full access

Why these pairings

These are core Vault concepts.

30
Multi-Selectmedium

An admin needs to revoke all leases associated with a particular policy violation. Which two methods can be used? (Choose two.)

Select 2 answers
A.vault sys/leases/revoke-force <prefix>
B.vault token revoke -mode=orphan <token>
C.vault lease revoke <lease_id>
D.vault write sys/leases/revoke-prefix <prefix>
E.vault lease revoke -prefix <mount_path>
AnswersD, E

API equivalent to revoke by prefix.

Why this answer

Both `vault lease revoke -prefix <prefix>` and `vault write sys/leases/revoke-prefix <prefix>` will revoke all leases with the given prefix, which can target the mount or role involved in the policy violation. Option A revokes a specific lease only. Option B revokes a token and its leases, but not specifically by policy prefix.

Option E has an incorrect path.

31
MCQeasy

A developer is troubleshooting an application that uses Vault's PostgreSQL secrets engine. The application successfully obtains a database credential from Vault, but after 30 minutes, the application starts receiving authentication errors from the database. The developer checks the Vault audit logs and sees that the lease for the credential was revoked. The lease was originally created with a TTL of 1 hour. The application is not renewing the lease. The developer wants to fix the issue so that the credential works for the full 1 hour. What should the developer do?

A.Revoke the lease and request a new credential with a longer TTL.
B.Modify the application to renew the lease before it expires using the lease ID.
C.Use the lease ID from the response to call sys/leases/renew periodically.
D.Increase the TTL of the database role to 2 hours.
AnswerB

Renewing the lease extends its duration and prevents premature revocation.

Why this answer

Option B is correct because the application must actively renew the lease before it expires to maintain the database credential. Vault issues leases with a TTL, but the lease is not automatically extended; the client must call the renew endpoint using the lease ID. Since the application is not renewing, the lease is revoked at its TTL (1 hour) or earlier if the default lease duration is shorter, causing authentication errors after 30 minutes if the default lease TTL is 30 minutes.

Exam trap

The trap here is that candidates assume increasing the TTL or requesting a new credential will solve the problem, but Cisco tests the understanding that leases must be actively renewed by the client, not automatically extended by Vault.

How to eliminate wrong answers

Option A is wrong because revoking the lease and requesting a new credential with a longer TTL does not address the root cause—the application's failure to renew the lease; the credential will still expire if not renewed. Option C is wrong because calling sys/leases/renew is the correct API endpoint for renewal, but the developer needs to modify the application to call it periodically, not just use the lease ID from the response; the option implies a manual or one-time action, not a programmatic renewal loop. Option D is wrong because increasing the TTL of the database role to 2 hours only extends the maximum lease duration, but the application still does not renew the lease, so the credential will still be revoked after the TTL (now 2 hours) unless renewed; the issue is the lack of renewal, not the TTL length.

32
MCQhard

A security team wants to ensure that database credentials generated by Vault are never renewed and have a fixed lifespan of 30 minutes. They configure the role with default_ttl=30m and max_ttl=30m, and set renewable=false. However, they find that some users are able to renew the leases anyway. What could be the reason?

A.The renewable flag requires the role to be updated after existing leases are issued.
B.The renewable flag is not respected when max_ttl equals default_ttl.
C.The renewable flag is only applicable to token auth methods, not secrets engines.
D.The lease's renewable property is controlled by the client token's renewable status.
AnswerA

Existing leases retain their original renewable setting; only new leases reflect the updated role.

Why this answer

When a role's configuration is changed, existing leases are not updated. Users who obtained leases before the renewable flag was set to false would still have leases with renewable=true. Option C correctly identifies that the role was likely updated after some leases were issued.

Option A is incorrect because the renewable flag is respected. Option B is incorrect; the lease's renewable property is independent of the token's. Option D is false; renewable applies to secret engine leases as well.

33
MCQmedium

An operator runs vault lease list and sees many expired leases. Why are expired leases still listed?

A.The leases are not actually expired.
B.The operator has a permission to see expired leases.
C.Vault keeps expired leases for auditing until cleaned up by garbage collection.
D.Expired leases are never removed.
AnswerC

Expired leases remain in storage until garbage collection runs.

Why this answer

Vault does not immediately remove expired leases; they are cleaned up by a periodic garbage collection process. Until then, they may appear in listing.

34
MCQeasy

An admin wants to revoke all leases associated with a specific AWS IAM user created by Vault. Which command should they use?

A.vault lease revoke aws/creds/myrole/ -prefix
B.vault lease revoke aws/creds/myrole
C.vault lease revoke -prefix aws/creds/myrole
D.vault lease revoke -path aws/creds/myrole
AnswerC

This revokes all leases starting with 'aws/creds/myrole', which covers all IAM users from that role.

Why this answer

The `vault lease revoke -prefix` command revokes all leases with a given prefix. The prefix for AWS IAM users created by a role is typically 'aws/creds/role-name'. Option C correctly uses the -prefix flag.

Option A revokes only that exact path if it were a lease ID. Option B has no -prefix. Option D has an incorrect syntax.

35
Multi-Selecthard

An organization uses Vault's AWS secrets engine to generate temporary IAM credentials. The Vault administrator has set the default lease TTL on the AWS mount to 15 minutes. A developer creates a role with role TTL of 30 minutes and explicit max TTL of 1 hour. Which TWO statements are true regarding the lease behavior for credentials generated under this role?

Select 2 answers
A.The initial lease duration will be 30 minutes (the role TTL).
B.The lease can be renewed up to a total lifetime of 1 hour (explicit max TTL).
C.The lease can be renewed indefinitely up to the system max TTL.
D.The initial lease duration will be 15 minutes (the default lease TTL).
E.The lease duration is the minimum of default lease and role TTL.
AnswersA, B

The role TTL is used as the lease duration at creation time.

Why this answer

Option A is correct because when a role has an explicit role TTL (30 minutes), Vault uses that value as the initial lease duration for credentials generated under that role, overriding the default mount TTL. The default lease TTL of 15 minutes on the AWS mount only applies when no role TTL is specified.

Exam trap

HashiCorp often tests the distinction between initial lease duration (role TTL) and total allowable lifetime (explicit max TTL), and the trap here is assuming the default mount TTL or a minimum calculation governs the initial lease when a role TTL is explicitly configured.

36
MCQeasy

Which of the following best describes a Vault lease?

A.A permission to access a path.
B.A time-limited agreement that governs the lifecycle of a secret.
C.A contract to use a secret for a certain duration.
D.The actual secret value.
AnswerB

This accurately describes a lease as a time-bound contract for secret usage.

Why this answer

A Vault lease is a time-bound agreement that governs the lifecycle of a secret, including its validity period, renewal, and revocation. When a secret is read from Vault, it is returned with a lease ID and a lease duration (TTL), after which the secret is automatically revoked unless renewed. This ensures that secrets are not valid indefinitely, reducing the risk of exposure.

Exam trap

HashiCorp often tests the distinction between the lease itself (the lifecycle management agreement) and the secret value, leading candidates to mistakenly choose Option D because they think the lease is the actual secret.

How to eliminate wrong answers

Option A is wrong because a Vault lease is not merely a permission to access a path; permissions are defined by policies attached to tokens or auth methods, not by leases. Option C is wrong because a lease is not a contract to use a secret for a certain duration; it is a technical mechanism that automatically manages the secret's lifecycle, including renewal and revocation, not a contractual agreement. Option D is wrong because the actual secret value is the data returned by Vault (e.g., a password or API key), while the lease is the metadata (lease ID, TTL, renewable flag) that controls that secret's lifecycle.

37
MCQmedium

A developer wants to ensure that their application automatically renews its secret leases before expiration. Which approach is recommended?

A.Set the lease TTL to infinite.
B.Use a cron job to call vault lease renew periodically.
C.Use Vault agent with a template and renew capability.
D.Use periodic tokens with auto-renewal.
AnswerC

Vault Agent is designed for automatic lifecycle management of leases.

Why this answer

Vault Agent's template and renew capability is the recommended approach because it automatically manages the lifecycle of dynamic secrets, including renewing leases before they expire. Vault Agent runs as a sidecar or daemon and uses its built-in renewer to periodically extend the lease TTL, ensuring the application always has a valid secret without manual intervention or external scheduling.

Exam trap

HashiCorp often tests the distinction between renewing a token (which can use periodic tokens) versus renewing a secret lease (which requires Vault Agent or explicit lease renewal), causing candidates to mistakenly choose periodic tokens for secret lease renewal.

How to eliminate wrong answers

Option A is wrong because setting the lease TTL to infinite is not supported by Vault; leases always have a finite TTL defined by the secret engine's default or maximum, and infinite TTL would violate security best practices by never forcing rotation. Option B is wrong because using a cron job to call vault lease renew is brittle and not recommended; it introduces a single point of failure, lacks awareness of lease expiration timing, and does not handle Vault Agent's automatic renewal or template rendering. Option D is wrong because periodic tokens with auto-renewal are used for long-lived tokens, not for renewing secret leases; secret leases (e.g., database credentials, AWS IAM keys) require explicit lease renewal via the /sys/leases/renew endpoint, and periodic tokens do not automatically renew those leases.

38
MCQhard

An organization uses Vault with a database secrets engine. They have a role that issues credentials with a lease TTL of 30 minutes. After some time, they notice that the database is full of stale users. What is the most likely cause?

A.The lease revocation process is failing due to network issues.
B.The database rotation statement is incorrect, causing Vault to not properly revoke credentials.
C.The role's max_ttl is set too high, allowing leases to live longer.
D.Vault's tidy operation is not configured to clean up stale leases.
AnswerD

Without tidy, expired leases may not have their underlying secrets revoked.

Why this answer

Vault does not automatically revoke the actual database user when a lease expires; it relies on the tidy operation to clean up stale leases and revoke the underlying credentials. If tidy is not run or configured, expired leases can leave behind database users. Option B is correct.

Option A: high max_ttl would lengthen lifespan but still eventually expire. Option C: rotation statement affects password changes, not revocation. Option D: network issues could cause revocation failures, but tidy would still help clean up.

39
MCQmedium

A Vault administrator wants to configure a role for dynamic secrets with a default TTL of 1 hour and a max TTL of 4 hours. They also want to allow renewal but only up to the max TTL. Which configuration achieves this?

A.default_ttl=1h, max_ttl=4h, renewable=false
B.default_ttl=4h, max_ttl=1h, renewable=true
C.default_ttl=1h, max_ttl=4h, renewable=true
D.default_ttl=1h, max_ttl=4h, renewable=true, ttl=1h
AnswerC

This allows renewal up to the max_ttl of 4 hours.

Why this answer

Setting default_ttl=1h, max_ttl=4h, and renewable=true allows the lease to be renewed up to a total lifespan of 4 hours, with initial TTL of 1 hour. Option B is correct. Option A has renewable=false, preventing renewal.

Option C has max_ttl less than default, which is invalid. Option D adds an unnecessary ttl parameter.

40
MCQeasy

What command is used to view the remaining time on a lease?

A.vault lease lookup <lease_id>
B.vault lease info <lease_id>
C.vault status <lease_id>
D.vault read <lease_id>
AnswerA

This command shows lease information including TTL.

Why this answer

The correct command to view the remaining time on a lease is `vault lease lookup <lease_id>`. This command retrieves the lease metadata, including the issue time, duration (TTL), and remaining time, directly from the Vault server. It is the standard method for inspecting lease details without extending or modifying the lease.

Exam trap

HashiCorp often tests the distinction between `vault lease lookup` and `vault read`, where candidates mistakenly think `vault read` can inspect lease details because it is used to read secrets, but lease metadata requires a dedicated lease API command.

How to eliminate wrong answers

Option B is wrong because `vault lease info` is not a valid Vault CLI command; the correct subcommand is `lookup`. Option C is wrong because `vault status` displays the seal status and HA state of the Vault server, not lease information. Option D is wrong because `vault read` is used to read secrets or data from a path, not to inspect lease metadata; it would attempt to read the path as a secret, which would fail or return unrelated data.

41
Multi-Selecteasy

Which two of the following are valid lease operations? (Choose two.)

Select 2 answers
A.vault lease renew
B.vault lease create
C.vault lease delete
D.vault lease generate
E.vault lease revoke
AnswersA, E

This is a valid command to renew leases.

Why this answer

Option A is correct because `vault lease renew` is a valid Vault CLI command used to extend the lifetime of a lease before it expires. In HashiCorp Vault, leases are associated with dynamic secrets (e.g., database credentials, AWS IAM keys) and must be periodically renewed to maintain access. The `renew` operation is a core lease lifecycle operation supported by the Vault API and CLI.

Exam trap

HashiCorp often tests the distinction between lifecycle operations that are explicitly supported (renew, revoke) versus operations that are not part of the Vault CLI (create, delete, generate), leading candidates to assume all CRUD-like verbs are valid.

42
MCQmedium

A DevOps team uses Vault to generate temporary database credentials. They notice that some applications are failing because their database credentials expire unexpectedly before the expected TTL. The Vault admin configured the database role with a default TTL of 1h and max TTL of 24h. What is the most likely cause?

A.The database role's max TTL is being enforced, but the default TTL is shorter.
B.The Vault server's clock is skewed, causing early expiry.
C.The application is renewing the lease too frequently, causing Vault to reset the TTL.
D.The application is not renewing the lease, and the lease TTL is counted from the issue time.
AnswerD

Leases expire based on their original TTL if not renewed before expiry.

Why this answer

Leases expire based on their original TTL from issue time unless renewed. The default TTL is 1h, so credentials expire after 1h if not renewed, causing failures if applications assume longer validity. Option B correctly identifies that the applications are likely not renewing the lease.

Option A is wrong because frequent renewal extends the lease. Option C is unlikely without evidence. Option D is incorrect because max TTL is higher than default, so it does not cause early expiry.

43
Drag & Dropmedium

Drag and drop the steps to configure Vault's audit logging to a file into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enable audit, verify, generate logs, check the file, then optionally tune.

44
Multi-Selecteasy

Which TWO of the following actions can reduce the number of active leases in Vault? (Select two.)

Select 2 answers
A.Reducing the default lease TTL
B.Revoking a lease
C.Creating a new lease
D.Increasing the max lease TTL
E.Renewing a lease
AnswersA, B

Shorter TTLs cause leases to expire faster, reducing count.

Why this answer

Reducing the default lease TTL (time-to-live) shortens the maximum duration for which a lease can be issued without renewal. When existing leases expire sooner, the system automatically removes them from the active lease count, thereby reducing the number of active leases. This directly affects the lease lifecycle by forcing earlier expiration.

Exam trap

HashiCorp often tests the misconception that increasing TTL values or renewing leases reduces active leases, but both actions actually prolong lease lifetimes and can increase the active count if new leases are created concurrently.

45
MCQhard

A Vault cluster is sealed. An operator attempts to renew a lease but gets an error. What is the most likely error?

A.Vault is sealed
B.Upstream error
C.Permission denied
D.Lease not found
AnswerA

Vault returns an error indicating it is sealed when trying to perform operations.

Why this answer

When Vault is sealed, it cannot process any operations, including lease renewal. The error would indicate the sealed state.

46
MCQhard

A Vault operator runs the command shown in the exhibit and wants to renew the lease before it expires. The operator has a valid token. What must be true for the renewal to succeed?

A.The operator must first revoke the lease and re-issue it to obtain a longer TTL.
B.The token's 'explicit_max_ttl' must be at least as long as the lease's remaining TTL.
C.The 'max_ttl' parameter in the database role must be increased to allow renewal.
D.The operator can renew the lease by running 'vault lease renew database/creds/my-role/abc123'.
AnswerD

Since the lease is renewable and the token is valid, a simple renew command will succeed and extend the lease.

Why this answer

Option C is correct because the lease is renewable (renewable: true) and the operator has a valid token, so simply calling 'vault lease renew' with the lease ID will succeed. Option A is wrong because the token's 'explicit_max_ttl' is not directly checked; the token must be valid and have appropriate permissions. Option B is wrong because there is no such parameter; the renewal is subject to the role's max TTL.

Option D is wrong because the lease's remaining TTL is not a limiting factor for a single renewal; the max TTL constraint is separate.

47
MCQmedium

Refer to the exhibit. A user with this policy can successfully read credentials but cannot renew the lease. What is the missing capability?

A.'list' on sys/leases/.
B.'renew' on the secret path.
C.'sudo' on sys/leases/.
D.'update' on sys/leases/renew.
AnswerD

This capability is required to perform lease renewal.

Why this answer

The user can read credentials but cannot renew the lease because the policy grants 'read' and 'list' capabilities on the secret path, but renewing a lease requires the 'update' capability on the 'sys/leases/renew' endpoint. This endpoint is used to extend the lifetime of a lease, and without 'update' access, the renewal request is denied.

Exam trap

HashiCorp often tests the distinction between capabilities on the secret path versus the system lease path, leading candidates to mistakenly think 'read' or 'list' on the secret path is sufficient for renewal.

How to eliminate wrong answers

Option A is wrong because 'list' on 'sys/leases/' allows listing active leases but does not grant the ability to renew a specific lease; renewal requires a different endpoint and capability. Option B is wrong because 'renew' is not a valid capability in Vault's policy language; capabilities are 'create', 'read', 'update', 'delete', 'list', and 'sudo', and the renewal action is mapped to 'update' on the 'sys/leases/renew' path. Option C is wrong because 'sudo' on 'sys/leases/' provides elevated privileges for certain operations but does not specifically grant the 'update' capability needed for lease renewal; 'sudo' is a modifier that bypasses ACL checks but still requires the appropriate capability on the endpoint.

Ready to test yourself?

Try a timed practice session using only Vault Leases questions.