VA-003 · topic practice

Create Vault policies practice questions

Practise HashiCorp Vault Associate VA-003 Create Vault policies practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Create Vault policies

What the exam tests

What to know about Create Vault policies

Create Vault policies questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Create Vault policies exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Create Vault policies questions

20 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A company wants to grant developers the ability to read and write secrets under the path 'secret/dev/*', but only they should be able to delete their own secrets. Which policy design best meets this requirement?

Which TWO of the following are valid capabilities that can be specified in a Vault policy?

Question 3mediummultiple choice
Read the full NAT/PAT explanation →

A DevOps team is managing secrets for a microservices application using Vault. They have created a policy named 'app-policy' that grants read access to secrets under the path 'secret/data/app/*'. The policy is assigned to an AppRole role. When a service authenticates with the role ID and secret ID, it receives a token but is unable to read secrets from 'secret/data/app/db-creds'. The token's identity metadata shows the policies associated with the token include 'default' and 'app-policy'. The Vault server logs show no errors. The service can successfully read other secrets from the same path, like 'secret/data/app/config'. What is the most likely cause of the issue?

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

A security team wants to ensure that all Vault policies for applications follow the principle of least privilege. They have a policy 'app-kv' that grants read access to secrets under 'secret/data/app/*'. An auditor finds that a developer can also read secrets under 'secret/data/team/*'. The policy currently uses a path-based glob. Which change should the team make to restrict access to only the app path?

A DevOps team is writing a Vault policy for a CI/CD pipeline that needs to authenticate using AppRole, read specific secrets, and write dynamic database credentials. Which THREE capabilities should be included in the policy to meet these requirements? (Choose three.)

Refer to the exhibit. A developer reports that they cannot read secrets under 'secret/data/kv-v2/engineering/db-pass' using a token that has the above policy attached. What is the most likely cause?

Exhibit

Refer to the exhibit.

```hcl
path "secret/data/kv-v2/engineering/*" {
  capabilities = ["read", "list"]
}

path "secret/metadata/kv-v2/engineering/*" {
  capabilities = ["read", "list"]
}

path "sys/policies/acl/engineering" {
  capabilities = ["read"]
}
```

Drag and drop the steps to create and use a periodic service token in Vault into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Vault command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Write a secret

Read data at a path

Write data or invoke an endpoint

Delete a secret or path

List keys under a path

Question 9easymultiple choice
Read the full NAT/PAT explanation →

A DevOps team needs to create a Vault policy that allows reading secrets from path "secret/data/app" but only for the key "db_password". They want to enforce this using Vault's policy syntax. Which policy statement achieves this?

A security administrator wants to create a policy that allows a service to renew its own token and list its own token capabilities, but not create new tokens. Which policy statements should be included?

A Vault administrator is designing a policy for a CI/CD pipeline that must be able to read dynamic database credentials from "database/creds/my-role" and also write to "secret/data/ci-cd" for storing build artifacts. The policy should follow the principle of least privilege. Which policy statements should be used?

Question 12easymulti select
Read the full NAT/PAT explanation →

A Vault operator is crafting a policy for a new application. Which two of the following are valid capabilities in a Vault policy path statement? (Select two.)

Question 13mediummulti select
Read the full NAT/PAT explanation →

Which three of the following are valid capabilities in a Vault policy path statement? (Select three.)

A Vault policy must allow a service to read secrets from "secret/data/app" and also be able to renew its own token. Which two policy statements are necessary and sufficient for this requirement? (Select two.)

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A user with this policy attempts to read the secret at path "secret/data/team-a/admin". What will happen?

Exhibit

path "secret/data/team-a/*" {
  capabilities = ["read", "list"]
}
path "secret/data/team-a/admin" {
  capabilities = ["deny"]
}

Refer to the exhibit. An application needs to encrypt data using the transit engine with key "app-key". It currently has this policy. Which statement is true?

Exhibit

# Vault policy snippet
path "transit/encrypt/app-key" {
  capabilities = ["create", "update"]
}
path "transit/decrypt/app-key" {
  capabilities = ["create", "update"]
}

Refer to the exhibit. A user with this policy tries to write a new secret to "secret/data/production/db". What will happen?

Exhibit

$ vault policy read my-policy
path "secret/data/production/*" {
  capabilities = ["read"]
}
path "secret/data/staging/*" {
  capabilities = ["create", "update"]
}
Question 18easymultiple choice
Read the full NAT/PAT explanation →

A company uses Vault's KV v2 secrets engine. A policy is needed to allow a service to only update existing secrets at path "secret/data/service/config", but not create new ones. Which capabilities should be included?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

An administrator wants to create a policy that grants the ability to list all authentication methods enabled on the Vault server. Which path and capability are required?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A Vault policy includes the following statement: path "secret/data/+/app" { capabilities = ["read"] }. Which paths would match this policy? (Assume KV v2)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Create Vault policies sessions

Start a Create Vault policies only practice session

Every question in these sessions is drawn from the Create Vault policies domain — nothing else.

Related practice questions

Related VA-003 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the VA-003 exam test about Create Vault policies?
Create Vault policies questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Create Vault policies questions in a focused session?
Yes — the session launcher on this page draws every question from the Create Vault policies domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other VA-003 topics?
Use the topic links above to move to related areas, or go back to the VA-003 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the VA-003 exam covers. They are not copied from any real exam or dump site.