A DevOps team is writing a Vault policy for a CI/CD pipeline that needs to authenticate using AppRole, read specific secrets, and write dynamic database credentials. Which THREE capabilities should be included in the policy to meet these requirements? (Choose three.)
'create' is needed to generate new database credentials.
Why this answer
Option B (create) is correct because the CI/CD pipeline needs to write dynamic database credentials, which requires the 'create' capability on the database secrets engine path (e.g., database/creds/my-role). The 'create' capability allows generating new credentials from a role, which is distinct from simply updating existing secrets. Without 'create', the pipeline cannot request fresh credentials from the database backend.
Exam trap
HashiCorp often tests the distinction between 'write' and 'create' capabilities, where candidates mistakenly choose 'write' for generating dynamic credentials, not realizing that 'create' is specifically required for role-based credential generation in the database secrets engine.