CCNA Vault Tokens Questions

75 of 93 questions · Page 1/2 · Vault Tokens topic · Answers revealed

1
MCQeasy

A developer creates a token using the 'token create' command with the 'period=24h' flag. What type of token is created?

A.Root token
B.Periodic token
C.Orphan token
D.Batch token
AnswerB

The period flag creates a periodic token.

Why this answer

Option B is correct. A token created with a 'period' becomes a periodic token, which is a subtype of service token that does not have a TTL but instead has a period. Option A is wrong because batch tokens are created with '-type=batch'.

Option C is wrong because orphan is a property, not a type. Option D is wrong because it is not a root token.

2
MCQmedium

An application using a service token fails to renew it, receiving an error 'permission denied'. The token has policies that include 'path "auth/token/renew-self" { capabilities = ["update"] }'. The token is not expired and has remaining TTL. What is a likely cause?

A.The token's num_uses has reached zero
B.The token is a batch token
C.The token's parent was revoked
D.The token has reached its explicit max TTL
AnswerD

Renewal is denied if it would exceed max TTL.

Why this answer

Option C is correct because the token's max_ttl may have been reached, preventing further renewal even if TTL remains. Option A is wrong because if the token were batch, the error would be different. Option B is wrong because orphan tokens can still renew.

Option D is wrong because num_uses=0 gives unlimited uses.

3
MCQhard

A Vault operator runs 'vault token lookup s.abc123' and sees that the token type is 'service', renewable is true, but the ttl is 30m and creation_ttl is 1h. The token has num_uses set to 0. What is the most likely explanation for the discrepancy between ttl and creation_ttl?

A.The token has renewable set to false
B.The token type is service, so it cannot be renewed
C.30 minutes have elapsed since the token was created
D.The token has been used and num_uses decremented
AnswerC

TTL shows remaining time; creation_ttl was 1h, so 30m have passed.

Why this answer

Option A is correct because the token was created 30 minutes ago, so only 30 minutes of TTL remain. Option B is wrong because num_uses is 0, meaning unlimited uses, not reduced. Option C is wrong because token type service implies renewable.

Option D is wrong because renewable is true.

4
MCQhard

An administrator receives an access denied error when trying to use the token accessor to revoke a token. The administrator's token has the following policy capabilities: path "auth/token/revoke-accessor" { capabilities = ["create", "update"] }. What is the issue?

A.The administrator lacks the 'sudo' capability on that path
B.The administrator's token does not have any capabilities on the path
C.The path requires 'create' and 'update' but not 'sudo'
D.The accessor path is incorrect; it should be auth/token/accessors/revoke
AnswerA

Revoking by accessor requires sudo.

Why this answer

Revoking a token by accessor requires the 'sudo' capability on the path. Without sudo, the operation is denied. Option A is wrong because 'create' and 'update' are not sufficient.

Option B is wrong because the accessor path is correct. Option D is wrong because the token's policy does grant capabilities, but not the required one.

5
MCQhard

A token with a policy that explicitly denies 'read' on 'secret/engineering/private' is issued. The same token also has another policy that grants 'read' on 'secret/engineering/*'. What is the result when the token tries to read 'secret/engineering/private'?

A.The read succeeds because the grant from the wildcard policy is more permissive
B.The read fails because the policies conflict and Vault defaults to deny
C.The read succeeds because the token has a separate policy that grants read
D.The read fails because the explicit deny on the specific path takes precedence
AnswerD

Vault's ACL model gives deny precedence over allow.

Why this answer

Option B is correct because Vault's ACL system uses a deny-first approach: if any policy explicitly denies a capability, it takes precedence over grants. Option A is wrong because the grant is overridden by the explicit deny. Option C is wrong because the token has both policies; one does not override the other unless there is an explicit deny.

Option D is wrong because the deny is explicit, not a lack of permission.

6
MCQhard

A large enterprise uses Vault with multiple namespaces for different business units. The security team has implemented a policy that requires all tokens to be created with a bounded set of allowed policies defined in a token role. The token role allows policies 'app-dev', 'app-staging', and 'app-prod' for the development namespace. The token role has token_type set to 'service'. A developer attempts to create a token using this role but specifies an additional policy 'admin' in the creation request. The Vault administrator expects this request to fail because 'admin' is not in the allowed policies list. However, the token is created successfully with only the allowed policies applied. Why did the request succeed?

A.The token role's 'token_type' was set to 'batch', which ignores policy restrictions.
B.The token role had 'allowed_policies_glob' set to 'app-*', which matched 'admin' as well.
C.Vault ignores the 'allowed_policies' list when the token creation request includes policies, as long as one of the requested policies is in the allowed list.
D.The developer added the 'admin' policy directly to the token role before creating the token.
AnswerB

Correct: 'allowed_policies_glob' uses glob patterns and can override 'allowed_policies'; 'app-*' matches 'admin'? Actually 'admin' does not start with 'app-', but a pattern like '*' or 'a*' could match; this is a plausible reason if the glob is too permissive.

Why this answer

In Vault, token roles define constraints on token creation. If a token creation request includes policies not in the allowed list, Vault will typically reject the request. However, if the token role has 'allowed_policies_glob' set to a pattern that inadvertently allows all policies, or if the role has 'allowed_policies' set to include wildcards, the request may succeed.

Option C is correct because the 'allowed_policies_glob' field can override 'allowed_policies' and allow policies that match a pattern. Option A is incorrect because the token type is 'service', which is the default. Option B is incorrect because adding a policy to a token role does not affect role constraints.

Option D is incorrect because ignoring the request is not default behavior; usually Vault enforces the allowed list strictly.

7
MCQeasy

A user receives this error when trying to read a secret. What is the most likely cause?

A.The secret engine is not enabled
B.The token is a root token
C.The token has expired
D.The token's policy does not grant read on that path
AnswerD

Permission denied indicates the token lacks the necessary capability.

Why this answer

Option B is correct because the 403 error with 'permission denied' typically indicates the token lacks the required capability. Option A is wrong because token expiration also returns a 403, but the error message would usually include 'token expired' or similar, not just 'permission denied'. Option C is wrong because a missing secret engine would return a 404.

Option D is wrong because root tokens have full access and would not get permission denied.

8
MCQmedium

A CI/CD pipeline needs to generate thousands of short-lived tokens each day for jobs that run for at most 5 minutes. The tokens should not be renewable or revocable individually. Which token type should be used?

A.Orphan tokens
B.Service tokens
C.Batch tokens
D.Periodic tokens
AnswerC

Batch tokens are non-renewable, non-revocable, and ideal for high-volume short-lived tokens.

Why this answer

Option D is correct because batch tokens are non-renewable, non-revocable, and suitable for high-volume, short-lived scenarios. Option A is wrong because service tokens are renewable and revocable, adding overhead. Option B is wrong because periodic tokens never expire unless explicitly revoked, which is not desired.

Option C is wrong because orphan tokens are a property, not a type.

9
Multi-Selectmedium

Which TWO of the following are true about token accessors?

Select 2 answers
A.Accessors are the token value
B.Accessors should be used in audit logs instead of token values
C.Accessors are unique identifiers for tokens
D.Accessors can be used to renew the token
AnswersB, C

This is a security best practice to avoid exposing tokens.

Why this answer

Token accessors are non-sensitive references that can be used for token lifecycle operations. They are unique and can be used to revoke tokens without knowing the token value. Option A is incorrect because accessors cannot be used to renew tokens.

Option C is incorrect because accessors are not the token value. Option D is incorrect because accessors can be used in audit logs, but that's a recommendation, not a limitation.

10
MCQmedium

A security audit reveals that many Vault tokens in an organization are orphan tokens (tokens with no parent). The tokens were created using a batch token creation script that did not set an explicit parent. The security team is concerned about these orphan tokens because they cannot be managed through the usual parent-child hierarchy. They want to revoke all orphan tokens created more than 30 days ago. However, the team does not have a list of token IDs for these tokens. Which approach should the team take to revoke the orphan tokens?

A.Reinitialize Vault and restore from a snapshot taken before the orphan tokens were created.
B.If the team stored token accessors at creation time, use the accessors to revoke the tokens via the /auth/token/revoke-accessor endpoint.
C.Use the token's parent token (the batch token creation script's token) to recursively revoke all children, which includes orphan tokens.
D.Revoke the batch token creation script's token and all its children, which will indirectly revoke orphan tokens associated with that script.
AnswerB

Correct: Accessors allow revocation without the token ID, making them ideal for orphan tokens if accessors were captured.

Why this answer

To revoke orphan tokens without token IDs, the team can leverage token accessors. If accessors were stored at creation time, they can be used to revoke tokens. However, if not stored, the team can list tokens using sys/internal/ui/mounts or auth/token/roles, but that may not directly provide accessors.

The most direct method is to use the token accessor lookup endpoint if accessors were logged. Option B is correct because revoking via accessors does not require token IDs. Option A is not directly possible without knowing the parent.

Option C would only affect the creating auth method but not orphan tokens. Option D is an extreme measure and not recommended without exploring alternatives.

11
MCQhard

A large enterprise runs a microservices architecture on Kubernetes. Each microservice authenticates to Vault using the Kubernetes auth method with a service account token. The Vault administrator configured a role 'microservice-role' with a TTL of 24h and a max TTL of 48h. The microservices renew their tokens every 12 hours via a sidecar. Recently, the security team noticed that some tokens are still valid after 72 hours, causing a security concern. The audit logs show that the tokens were renewed successfully multiple times. The administrator reviews the role configuration and sees that 'token_renewable' is set to true. What is the most likely reason the tokens are exceeding the intended 48h max TTL?

A.The sidecar renewal interval is too short, causing the token to be renewed before the max TTL is checked
B.The Kubernetes auth method's default TTL overrides the role's max TTL
C.The Vault role's max TTL is not propagated to the token because the token was created with a different policy
D.The Kubernetes service account token used for authentication is long-lived, allowing the Vault token to be renewed indefinitely
AnswerD

If the underlying auth token never expires, Vault tokens can be renewed up to their max TTL, but if the max TTL is not set correctly or the role allows renewal beyond max TTL due to a bug, it could exceed. However, the most common cause is that the Kubernetes API token used by the auth method is long-lived, and the Vault role's max TTL is not enforced because the auth method does not track the external identity's expiry.

Why this answer

The Kubernetes auth method uses the service account token to authenticate and derive a Vault token. If the Kubernetes service account token is long-lived (non-bound), the Vault token can be renewed indefinitely as long as the Kubernetes token remains valid, because the renewal process re-authenticates against the Kubernetes API and obtains a fresh lease. The role's max TTL of 48h is enforced only if the underlying Kubernetes token expires or is revoked; otherwise, Vault's renewal mechanism can extend the token beyond the configured max TTL.

Exam trap

HashiCorp often tests the misconception that the role's max TTL is an absolute hard limit, but in reality, the Kubernetes auth method's token lifetime is also dependent on the underlying service account token's validity, allowing indefinite renewal if that token is long-lived.

How to eliminate wrong answers

Option A is wrong because the sidecar renewal interval (12h) is shorter than the token TTL (24h) and does not affect max TTL enforcement; max TTL is a hard limit that Vault checks during renewal, not a function of renewal frequency. Option B is wrong because the Kubernetes auth method does not have a separate default TTL that overrides the role's max TTL; the role's max TTL is the authoritative upper bound unless explicitly overridden by a mount-level configuration, which is not mentioned. Option C is wrong because the token's policy does not influence TTL or max TTL propagation; max TTL is set at the role level and is applied to all tokens created by that role regardless of attached policies.

12
Multi-Selecthard

Which THREE factors influence the maximum TTL of a token?

Select 3 answers
A.The TTL set on the token role.
B.The max TTL of the auth method or mount.
C.The token's current TTL.
D.The max TTL set on the token role.
E.The system's default max TTL (usually 32 days).
AnswersB, D, E

The auth method's max TTL imposes a limit.

Why this answer

The maximum TTL is determined by the minimum of: the token role's max TTL, the auth method's max TTL, and the system's default max TTL. The role's default TTL and current TTL do not affect max TTL.

13
Multi-Selectmedium

Which TWO of the following are valid methods to revoke a Vault token?

Select 2 answers
A.vault token revoke <token>
B.vault secrets disable <path>
C.vault auth disable <path>
D.vault token revoke -accessor <accessor>
E.vault policy delete <name>
AnswersA, D

This revokes the specified token.

Why this answer

Option A is correct because `vault token revoke <token>` is the direct command to revoke a specific Vault token by its token value. This invalidates the token immediately, preventing any further use. Option D is correct because `vault token revoke -accessor <accessor>` revokes a token using its accessor, which is a non-sensitive identifier that can be used to manage tokens without exposing the token itself.

Exam trap

The trap here is that candidates confuse disabling an auth method or secrets engine with token revocation, not realizing that disabling only prevents new operations but does not invalidate existing tokens.

14
MCQmedium

Based on the exhibit, what is the maximum lifetime of this token?

A.720 hours
B.The max TTL is shown as 'ttl' and cannot exceed that
C.The token is valid indefinitely because it is renewable
D.The token will expire at expire_time unless renewed
AnswerD

The max TTL is not shown; the token behaves with current TTL and can be renewed.

Why this answer

The token has a TTL of 720h (30 days) and is renewable, but the max TTL is not shown in this output. The max TTL is determined by the token role or system default. However, the question asks for 'maximum lifetime' based on the output.

The output shows ttl: 720h, which is the current remaining TTL. But the max TTL is not displayed. Typically, the 'expire_time' indicates when it will expire if not renewed.

But since it's renewable, the max lifetime could be longer. The safest answer is that the max TTL cannot be determined from this output. Option A is wrong because 720h is the current TTL, not necessarily the max.

Option B is wrong because expire_time is for current TTL. Option D is wrong because indefinite is not indicated.

15
MCQmedium

A token has the properties shown in the exhibit. A user attempts to use this token to write a secret to 'secret/data/myapp'. The token fails with a permission denied error. What is the most likely cause?

A.The token has an explicit max TTL of 0s, which prevents write operations.
B.The token's policies do not grant write capability on the target path.
C.The token is a service token but the write operation requires a batch token.
D.The token is orphaned, so it cannot be used for write operations.
AnswerB

The token only has 'default' and 'my-policy' policies. Without a policy granting write on 'secret/data/myapp', the operation is denied.

Why this answer

The token's policies define the access control rules for paths in Vault. Since the user received a permission denied error when attempting to write to 'secret/data/myapp', the most likely cause is that the token's attached policies do not include a 'write' or 'create' capability on that specific path. Policies are evaluated based on the path and the requested operation, and without the appropriate capability, the request is denied regardless of other token properties.

Exam trap

HashiCorp often tests the misconception that token properties like TTL, type, or parentage affect permissions, when in reality only the attached policies determine what operations a token can perform on a given path.

How to eliminate wrong answers

Option A is wrong because a max TTL of 0s does not prevent write operations; it means the token has no explicit maximum lifetime, or it may be set to use the system default, but TTL does not affect permission to write. Option C is wrong because both service tokens and batch tokens can perform write operations if their policies allow it; the token type does not inherently restrict write capability. Option D is wrong because an orphaned token (one with no parent) can still be used for write operations as long as its policies grant the required capabilities; being orphaned does not revoke permissions.

16
MCQmedium

A user's token was revoked by an administrator, but the user can still read secrets from a KV v1 secrets engine. What is the most likely reason?

A.The token had sudo capabilities on the path
B.The token was a root token and cannot be revoked
C.The token was an orphan token and therefore immune to revocation
D.The secrets were from a KV v1 engine that does not use leases
AnswerD

Token revocation only revokes leases; KV v1 secrets are not leased, so previously read data remains accessible.

Why this answer

Option B is correct because KV v1 secrets do not issue leases, so token revocation does not invalidate previously read data. Option A is wrong because root tokens can still be revoked and would not persist after revocation. Option C is wrong because the token policy does not affect revocation behavior.

Option D is wrong because orphan tokens are still subject to revocation.

17
Multi-Selecteasy

A DevOps team is troubleshooting token access in Vault. They need to determine which of the following token operations require sudo capability. Which TWO operations require sudo capability?

Select 2 answers
A.Create a token
B.Renew a token
C.Read token accessor information
D.Revoke a token
E.Access a token's capabilities against a path
AnswersD, E

Revoking a token requires sudo capability because it destroys a token.

Why this answer

Revoking a token (Option D) requires sudo capability because it is a privileged operation that can disrupt access for users or services. By default, Vault's token revocation endpoints are protected by sudo policies to prevent accidental or unauthorized revocation of tokens, which could lead to denial of service.

Exam trap

HashiCorp often tests the misconception that all token management operations require sudo, but only destructive or highly privileged actions like revocation and capability access (which can reveal policy details) need it, while creation, renewal, and read operations do not.

18
Multi-Selecthard

Which THREE of the following are true about batch tokens?

Select 3 answers
A.They can be created as orphan tokens
B.They have a TTL that must be set at creation
C.They are non-renewable
D.They are always root tokens
E.They are lightweight and have no storage cost
AnswersB, C, E

Batch tokens require a TTL.

Why this answer

Batch tokens in Vault are designed to be lightweight, non-renewable tokens that must have a Time-To-Live (TTL) set at creation. They are not renewable, meaning once they expire, they cannot be renewed or extended. This makes them ideal for short-lived, high-volume workloads where token lifecycle management is automated.

Exam trap

HashiCorp often tests the misconception that batch tokens can be orphaned or renewed, when in fact they are non-renewable and cannot be created as orphans, which are properties exclusive to service tokens.

19
MCQhard

An administrator creates a token role with 'allowed_policies' and tries to create a child token. What does this error indicate?

A.The token has been revoked too many times
B.The token's TTL is too short
C.The token's policy is not allowed by the role
D.The token role's token_count_limit has been reached
AnswerD

The token_count_limit restricts the number of tokens a role can create.

Why this answer

The error 'token count per user (3) exceeded' means that the entity (user or role) has reached the maximum number of tokens allowed. This is controlled by the 'token_count_limit' parameter in the token role. Option B is wrong because it's not about TTL.

Option C is wrong because the error is about count, not permissions. Option D is wrong because it specifically mentions 'per user'.

20
MCQeasy

Refer to the exhibit. A token has this policy. Which action can the token perform?

A.Update a secret at "secret/data/engineering/config"
B.Read a secret at "secret/data/engineering/db-pass"
C.List secrets at "secret/data/finance/"
D.Delete a secret at "secret/data/finance/budget"
AnswerB

The policy allows read on engineering/*.

Why this answer

The policy grants read and list on engineering/*, so reading secret/data/engineering/db-pass is allowed. It does not grant delete or list on finance, nor update on engineering.

21
Matchingmedium

Match each Vault seal type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Split key into shares

Use AWS Key Management Service

Use Azure Key Vault

Use Google Cloud KMS

Use hardware security module

Why these pairings

These are seal mechanisms for unsealing Vault.

22
Multi-Selectmedium

Which TWO methods can be used to revoke a token without knowing the token ID?

Select 2 answers
A.Using the token's role name if it has one.
B.Using `vault token revoke -mode path` on the auth mount.
C.Using the token's policy name.
D.Using the token's creation time.
E.Using the token accessor.
AnswersB, E

This revokes all tokens created by that mount path without needing individual IDs.

Why this answer

Using the token accessor allows revocation without the token ID, and using `vault token revoke -mode path` on the auth mount revokes all tokens created by that mount path.

23
MCQhard

A Vault administrator wants to ensure that when a parent token is revoked, all child tokens are also automatically revoked. Which option should they use?

A.Use the 'force' parameter when revoking the parent token
B.Revoke the parent token using the 'revoke-orphan' endpoint
C.Set the parent token's orphan property to 'false'
D.Use the 'cascade=true' parameter when revoking the parent token
AnswerD

Cascade revokes all child tokens recursively.

Why this answer

Option A is correct. The 'cascade' parameter in the revoke API call causes recursive revocation of all child tokens. Option B is wrong because that would orphan children.

Option C is wrong because setting 'orphan=true' prevents children from being orphaned, but does not revoke them. Option D is wrong because it only applies to the token itself.

24
MCQmedium

Which token type should be used for short-lived credentials that do not need to be renewed?

A.Service tokens
B.Periodic tokens
C.Batch tokens
D.Orphan tokens
AnswerC

Batch tokens are non-renewable and have a limited TTL, suitable for short-lived use.

Why this answer

Batch tokens are non-renewable and lightweight, ideal for short-lived credentials where renewal is unnecessary.

25
MCQeasy

What is the purpose of a token's "period" attribute?

A.It is the starting TTL for a periodic token and is refreshed on each renewal.
B.It defines the maximum lifetime of a token.
C.It defines the number of uses before token expires.
D.It is the time after which the token is revoked if not used.
AnswerA

Correct description of period for periodic tokens.

Why this answer

For periodic tokens, the "period" defines the TTL that is refreshed on each renewal. Periodic tokens have no max TTL and can be renewed indefinitely as long as renewal occurs within the period.

26
MCQeasy

Where can you view a list of all active tokens in Vault?

A.There is no way to list all tokens.
B.`vault token list`
C.`vault list auth/token/accessors`
D.Both A and B
AnswerD

Both commands list token accessors, which represent active tokens.

Why this answer

Both `vault token list` and `vault list auth/token/accessors` list token accessors, which represent active tokens.

27
MCQmedium

A periodic token is created with a TTL of 30 days. After 60 days, the token is still in use but suddenly stops working. What is the most likely reason?

A.The token exceeded its max TTL of 60 days
B.The token reached its default max TTL of 32 days
C.The token's explicit_max_ttl was set to a value less than 60 days
D.The token was revoked manually or by an administrator
AnswerD

Periodic tokens can be revoked at any time; the most likely cause after 60 days is revocation.

Why this answer

Periodic tokens have an explicit_max_ttl default of 0 (unlimited) but if the token role has a max_ttl set, it will enforce that. However, the common reason is that the token was revoked. Option A is wrong because periodic tokens do not have a default max TTL.

Option B is wrong because explicit_max_ttl is typically 0 for periodic tokens unless set. Option D is wrong because there is no default max TTL for periodic tokens.

28
MCQhard

A cloud-native application uses Vault's Kubernetes auth method to inject tokens into pods. Each pod receives a Vault token with a TTL of 1 hour, renewable. The application is designed to renew tokens before they expire. However, after a recent update, some pods are failing to authenticate with Vault, reporting 'token not found' errors. The operations team checks the Vault audit logs and sees that tokens associated with these pods are being revoked immediately after creation. The pods have not performed any revocation. What is the most likely cause?

A.The Kubernetes auth method's 'kubernetes_ca_cert' has expired, causing Vault to invalidate all tokens.
B.The Kubernetes service account that the pod uses has been deleted or its token has been invalidated, causing Vault to revoke derived tokens.
C.The Vault tokens are being created as batch tokens and are immediately revoked due to a misconfiguration.
D.The pods are attempting to renew tokens too frequently, exceeding a rate limit.
AnswerB

Correct: Vault automatically revokes tokens when the underlying identity (service account) is removed or the JWT becomes invalid.

Why this answer

The Kubernetes auth method in Vault can be configured with 'kubernetes_ca_cert' and 'token_reviewer_jwt' for validation. If the service account token used by the pod is invalid or expired, Vault will revoke the derived Vault token. Additionally, if the pod's service account is deleted or permissions change, Vault will revoke tokens.

Option B is correct because if the Kubernetes service account token is invalid or the service account is deleted, Vault revokes associated tokens. Option A is incorrect because the auth method's JWT validation does not cause token revocation of derived tokens. Option C is incorrect because renewing the token does not cause revocation.

Option D is incorrect because the Vault token is not tied to a batch token creation.

29
MCQeasy

A DevOps engineer needs to create a token that can only read secrets under the path 'secret/engineering'. What is the recommended approach?

A.Create a token with a short TTL so it expires quickly
B.Create a token with the default policy only
C.Use the root token and restrict usage with a low TTL
D.Create a policy that allows read on secret/engineering/* and attach it to the token
AnswerD

A custom policy with minimal privileges follows the principle of least privilege.

Why this answer

Option D is correct because creating a policy with the read capability on the specific path and issuing a token with that policy is the best practice. Option A is wrong because using a root token grants full access. Option B is wrong because the default policy allows extensive access.

Option C is wrong because simply setting a TTL does not restrict access.

30
MCQeasy

A DevOps team uses Vault to manage secrets for a microservices application. The application authenticates to Vault using AppRole, and each service obtains a periodic token with a TTL of 24 hours and a period of 1 hour. The tokens are used to read secrets from a path. Recently, the team noticed that some services are unable to read secrets after a few hours, with error messages indicating that the token is not authorized or has expired. Upon investigation, the team finds that the tokens are being renewed properly but still fail after some time. What is the most likely cause of this issue?

A.The Vault server's maximum number of tokens per client has been exceeded.
B.The tokens are not being renewed correctly due to a bug in the renewal logic.
C.The tokens have a shorter max TTL than the period, causing them to expire before they can be renewed.
D.The AppRole secret ID is being revoked, causing tokens to become invalid.
AnswerC

Correct: Periodic tokens have a max TTL that caps total lifetime; if max TTL is less than the period, the token will expire and cannot be renewed.

Why this answer

The issue is that periodic tokens have a maximum TTL that cannot be exceeded. While the period allows the token to be renewed before it expires, the overall lifetime is capped by the max TTL. In this scenario, the token's max TTL is likely set to a value shorter than 24 hours (e.g., default 32 days, but could be overridden).

However, the specific symptom suggests that after a few hours, tokens expire and cannot be renewed because they have reached their max TTL. Option B directly addresses the max TTL. Option A is incorrect because the error is about authorization/expiration, not resource limits.

Option C is incorrect because tokens are renewable by design with the period. Option D is incorrect because the auth method does not cause such expiration errors.

31
MCQhard

A token with this policy attempts to read the secret at path 'secret/data/engineering/special'. Will the read succeed?

A.Yes, because the first path grants read on all secrets under 'secret/data/engineering/'
B.No, because the token needs an additional policy to read from that specific path
C.Yes, because the second path implicitly allows read
D.No, because the second path is more specific and only allows create/update
AnswerA

The wildcard includes 'special'.

Why this answer

Option A is correct because the first path grants read on secret/data/engineering/*, which includes 'special'. The second path grants create/update on a different path (without 'data' prefix) and does not deny read. Vault merges capabilities, so read is allowed.

Option B is wrong because ACL merging does not cause one statement to override another unless there is an explicit deny. Option C is wrong because the token already has a policy covering that path. Option D is wrong because the second path does not grant read but also does not deny it.

32
MCQhard

A token is created with policies 'default' and 'web-app'. Later, a parent token's policy is updated to add 'logging'. The child token's policies are not updated. What will happen when the child token is used?

A.The child token will still have only 'default' and 'web-app' policies
B.The child token will be automatically renewed to pick up the new policy
C.The child token will automatically gain the 'logging' policy
D.The child token will be invalidated due to policy mismatch
AnswerA

Token policies are set at creation and do not change.

Why this answer

Token policies are snapshotted at creation time; they do not inherit changes from parent tokens. Therefore, the child token still has only 'default' and 'web-app'. Option A is wrong because parent token changes do not propagate.

Option C is wrong because Vault does not automatically refresh policy. Option D is wrong because the token is not invalidated.

33
MCQmedium

A team needs to issue unique tokens to each of 100 microservices, each with its own policy, and ensure that revoking one token does not affect others. Which token feature should they use?

A.Periodic tokens
B.Orphan tokens
C.Token accessors
D.Token roles with distinct policies
AnswerD

Token roles enable creation of tokens with specific policies, providing isolation.

Why this answer

Token roles allow creating tokens with specific policies and settings. Each microservice can have its own token role with a distinct policy, ensuring isolation.

34
MCQhard

An admin creates a token with TTL=48h and explicit_max_ttl=120h. The token is renewed every 24h. After 10 days, will the token still be valid?

A.Yes, because TTL refreshes to 48h on each renewal.
B.Yes, if renewed before TTL expires, it can persist indefinitely.
C.No, because the total lifetime cannot exceed the explicit_max_ttl of 120h.
D.No, because tokens cannot be renewed more than 5 times.
AnswerC

Explicit_max_ttl caps the total lifetime regardless of renewals.

Why this answer

The token's total lifetime cannot exceed the explicit_max_ttl of 120h (5 days). After 10 days, it would have exceeded this limit and become invalid.

35
Multi-Selecthard

Which THREE of the following are valid parameters when creating a token via the API?

Select 3 answers
A.num_uses
B.ttl
C.policies
D.accessor
E.max_ttl
AnswersB, C, E

TTL can be set at creation.

Why this answer

Valid parameters include 'policies', 'ttl', 'max_ttl', 'renewable', 'period', 'explicit_max_ttl', 'id', 'role', 'meta', etc. 'Accessor' is not a creation parameter; it is returned after creation. 'Num_uses' is a valid parameter to limit the number of uses.

36
MCQhard

An application uses a Vault token with a policy that grants read access to secrets. The security team wants to ensure that if the application is compromised, the token cannot be used after a certain time even if the attacker has the token. What is the best approach?

A.Use a revocation script that runs periodically
B.Set explicit max TTL on the token
C.Use a periodic token with a long period
D.Set a short TTL on the token and do not allow renewal
AnswerD

A short TTL ensures the token expires quickly.

Why this answer

Option D is correct because setting a short TTL on the token and disallowing renewal ensures that the token automatically expires after a fixed, short duration. Even if an attacker compromises the token, they cannot extend its lifetime, limiting the window of exposure. This directly meets the security requirement of preventing token use beyond a certain time without relying on external revocation mechanisms.

Exam trap

HashiCorp often tests the distinction between TTL and renewal behavior; the trap here is that candidates confuse 'max TTL' (which still allows renewal) with 'short TTL + no renewal' (which enforces absolute expiry), leading them to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because a revocation script that runs periodically introduces a window of vulnerability between revocation checks; the token remains valid until the script executes, and the script itself adds operational complexity and potential failure points. Option B is wrong because setting an explicit max TTL on the token does not prevent the token from being renewed up to that max TTL; if renewal is allowed, an attacker could keep the token alive for the entire max TTL duration, which may be longer than desired. Option C is wrong because a periodic token with a long period is designed for long-lived, renewable access; it can be renewed indefinitely as long as the parent policy allows, which contradicts the requirement to limit token lifetime after compromise.

37
MCQeasy

An administrator needs to revoke a token but wants to keep all child tokens that were created using this token as the parent. Which revocation operation should be used?

A.Orphan token revocation
B.Immediate token revocation
C.Sudo token revocation
D.Self token revocation
AnswerA

Orphan revocation removes the token from the hierarchy but preserves children.

Why this answer

Orphan revocation removes the token from the parent-child tree but does not revoke its children. Option A is wrong because immediate revocation revokes the token and all its children. Option B is wrong because sudo revocation is not a standard Vault operation.

Option D is wrong because self revocation revokes the token making the request, not specifying orphan behavior.

38
MCQmedium

Refer to the exhibit. An admin wants to ensure this token can be used for 60 hours total. Which action should be taken?

A.Increase the creation_ttl to 60h.
B.The token will expire after 48h, so increase explicit_max_ttl to 60h on the current token.
C.Create a new token with explicit_max_ttl=60h.
D.The token already can be used for 60h because it is renewable.
AnswerC

A new token with appropriate max TTL is required.

Why this answer

The token's explicit max TTL is 48h, meaning it cannot last longer than 48h. To achieve 60h, a new token must be created with explicit_max_ttl set to at least 60h. The existing token cannot be modified.

39
MCQmedium

A DevOps team is using Vault tokens for authentication in CI/CD pipelines. They notice that tokens are often expired before the pipeline completes, causing failures. Which Vault feature should they use to address this without manual intervention?

A.Use batch tokens for better performance
B.Use periodic tokens with a short period and allow renewal
C.Create orphan tokens so they don't expire with the parent
D.Increase the default TTL on the token auth method
AnswerB

Periodic tokens can be renewed before expiration as long as they are within max TTL.

Why this answer

Periodic tokens are designed for long-running processes like CI/CD pipelines. They have no maximum TTL and can be renewed indefinitely as long as the renewal occurs before the current token's TTL expires. By using a periodic token with a short period and enabling automatic renewal in the pipeline, the token stays valid without manual intervention, solving the expiration issue.

Exam trap

HashiCorp often tests the misconception that increasing TTL or using orphan tokens solves indefinite expiration, but the key is that periodic tokens are the only token type designed for renewable, long-lived use without a hard upper limit.

How to eliminate wrong answers

Option A is wrong because batch tokens are stateless and cannot be renewed; they have a fixed TTL and are unsuitable for long-running pipelines. Option C is wrong because orphan tokens are detached from their parent but still have a finite TTL and must be renewed; they do not inherently prevent expiration. Option D is wrong because increasing the default TTL on the token auth method only extends the initial validity but does not allow indefinite renewal; the token will still eventually expire, and manual intervention would be needed to re-authenticate.

40
Multi-Selecteasy

Which TWO of the following are valid token states?

Select 2 answers
A.Expired
B.Orphan
C.Suspended
D.Revoked
E.Active
AnswersD, E

A revoked token is invalid.

Why this answer

Option D is correct because 'Revoked' is a standard token state defined in the OAuth 2.0 framework (RFC 7009) and implemented in Vault's token lifecycle. When a token is explicitly revoked via the `/sys/leases/revoke` endpoint or through a lease revocation, it transitions to the revoked state and can no longer be used for authentication or authorization.

Exam trap

HashiCorp often tests the distinction between token lifecycle states and token properties (like orphan status) to confuse candidates who may think 'orphan' or 'suspended' are official states, when in fact only 'Active' and 'Revoked' are the primary valid token states in Vault.

41
MCQeasy

A company runs multiple microservices in a Kubernetes cluster. Each microservice authenticates to Vault using a service token created via the token auth method. The tokens are created with a default TTL of 72h, a max TTL of 168h, and renewable set to true. The services are configured to renew their tokens when the remaining TTL drops below 24h. Recently, some tokens have been expiring prematurely, causing service outages. Upon investigation, you find that the expired tokens were created with a role that includes explicit_max_ttl = 72h. The services see the TTL decreasing normally, but then it jumps to zero even though the services attempted renewal. What is the most likely cause and correct action?

A.Configure the services to renew the token when TTL drops below 48h.
B.Remove the explicit_max_ttl setting from the role or set it to 0.
C.Increase the default TTL on the token auth mount to 168h.
D.Set max_ttl on the role to 72h.
AnswerB

Removing explicit_max_ttl allows tokens to be renewed up to the max TTL of 168h.

Why this answer

The explicit_max_ttl of 72h overrides the creation_ttl and max_ttl. Even though renewable is true, the token cannot be renewed beyond its explicit_max_ttl. The correct action is to remove or set explicit_max_ttl to 0 in the role configuration.

Increasing the default TTL (option A) does not help because explicit_max_ttl is lower. Setting max_ttl to 72h (option C) would not change behavior. Renewing earlier (option D) still cannot bypass the hard limit.

42
MCQhard

A large enterprise runs Vault in a production environment with hundreds of applications. Each application uses a unique Vault token with a 30-day TTL. The tokens are created by a central CI/CD pipeline using Vault's token auth method. Recently, the security team noticed that several tokens with suspicious activity have been created with a 90-day TTL, and the tokens appear to be long-lived and not revoked after use. The CI/CD pipeline logs show no anomalies. The audit logs reveal that the tokens in question were created by a human user 'jdoe' using a token with the 'admin' policy. The 'admin' policy grants '*' capabilities on all paths. The Vault token accessor shows that the suspicious tokens have a 'creation_ttl' of 2160h (90 days) and 'explicit_max_ttl' of 0s. The Vault configuration uses a default lease TTL of 24h and a max lease TTL of 720h (30 days). Which action should the security team take to prevent such incidents in the future without breaking existing applications?

A.Remove the 'admin' policy from all human users and require them to use a different authentication method.
B.Implement a Sentinel policy that blocks token creation by any user except the CI/CD pipeline.
C.Create a dedicated token role with a max TTL of 720h (30 days) and restrict token creation to that role; revoke the 'admin' policy's create permission on auth/token/create.
D.Reduce the system max lease TTL to 720h (30 days) and enforce that all tokens must have explicit_max_ttl set.
AnswerC

This enforces a TTL limit on tokens and restricts who can create tokens, preventing unauthorized long-lived tokens.

Why this answer

Option C is correct because the root cause is that the 'admin' policy grants unrestricted token creation permissions, allowing a human user to bypass the intended CI/CD pipeline controls and create tokens with a 90-day TTL. By creating a dedicated token role with a max TTL of 720h (30 days) and revoking the 'admin' policy's create permission on 'auth/token/create', the team enforces a maximum TTL of 30 days for all tokens created via the token auth method, matching the system's max lease TTL and preventing long-lived tokens without breaking existing applications that use the CI/CD pipeline.

Exam trap

HashiCorp often tests the misconception that reducing the system max lease TTL alone will prevent long-lived tokens, but the trap here is that tokens with 'explicit_max_ttl' set to 0s or tokens created via roles with higher max TTLs can bypass this limit, so the correct solution is to restrict token creation permissions and enforce TTLs at the role level.

How to eliminate wrong answers

Option A is wrong because removing the 'admin' policy from human users does not address the underlying issue of unrestricted token creation permissions; human users could still create tokens with excessive TTLs using other policies or authentication methods, and it would break legitimate administrative workflows. Option B is wrong because implementing a Sentinel policy that blocks token creation by any user except the CI/CD pipeline would prevent human users from creating tokens entirely, which is overly restrictive and would break legitimate use cases where human users need to create tokens (e.g., for emergency access or break-glass scenarios). Option D is wrong because reducing the system max lease TTL to 720h (30 days) would not affect tokens that already have an 'explicit_max_ttl' of 0s, as the system max lease TTL only applies to tokens without an explicit max TTL; the suspicious tokens already bypassed this by having no explicit max TTL, so this change would not prevent future incidents.

43
Multi-Selectmedium

A DevOps engineer is troubleshooting an issue where a token cannot read a secret from the KV v2 engine at path 'secret/team-alpha/db-creds'. The token's policy includes the following: path "secret/team-alpha/*" { capabilities = ["read"] }. Which TWO reasons could explain the failure?

Select 2 answers
A.The user needs to use the token's accessor to read the secret
B.The path in the policy needs to be 'secret/data/team-alpha/*'
C.The token may have an additional restrictive policy from a parent token
D.The secret engine is not tuned to allow reads
E.The token is not a child of the root token
AnswersB, C

KV v2 requires the 'data' prefix in policy paths for secret access.

Why this answer

In KV v2, the path must include the 'data' prefix for data access. Additionally, the token may have inherited restrictive policies from a parent token or identity. The other options are not valid: the token's parentage is irrelevant, engine tuning does not affect path permissions, and accessors cannot be used to read secrets.

44
MCQmedium

A DevOps team generates a large number of short-lived tokens for automated deployments. They want to minimize storage overhead and avoid the need for token revocation. Which token type should they use?

A.Periodic tokens
B.Orphan tokens
C.Service tokens
D.Batch tokens
AnswerD

Batch tokens are not stored and have no revocation, ideal for short-lived automated tasks.

Why this answer

Batch tokens are designed for high-throughput, short-lived operations and are not stored in Vault, reducing storage overhead. They cannot be renewed or revoked, so no revocation is needed. Option A is wrong because service tokens are stored and require revocation.

Option B is wrong because periodic tokens have a finite lifetime but still incur storage and revocation. Option D is wrong because orphan tokens are still stored and require revocation.

45
MCQhard

Refer to the exhibit. A developer reports that a token they created using `vault token create -policy=my-policy -ttl=2h` is no longer working after 1 hour. The token lookup output shows the token details. What is the most likely cause?

A.The token's max_ttl was set to 1h when created, and the token reached its max_ttl.
B.The token has num_uses set to 0, meaning it can only be used once.
C.The token is a service token and cannot be renewed.
D.The token is an orphan token and requires the parent token to be valid.
AnswerA

If max_ttl is less than the requested TTL, the token will expire at max_ttl, causing it to stop working after 1 hour.

Why this answer

The token was created with a `-ttl=2h` but the token lookup output shows `max_ttl=1h`. The `max_ttl` is an upper limit enforced by the token's configuration or the system's maximum TTL setting. Even though the requested TTL was 2 hours, the token's effective lifetime is capped by the lower of the two values, so it expired after 1 hour.

Exam trap

HashiCorp often tests the distinction between `ttl` and `max_ttl`, where candidates mistakenly assume the token will last for the full `ttl` value without checking the overriding `max_ttl` limit.

How to eliminate wrong answers

Option B is wrong because `num_uses` set to 0 means the token has unlimited uses, not that it can be used only once. Option C is wrong because service tokens can be renewed unless explicitly configured with `explicit_max_ttl` or a non-renewable flag; the issue here is TTL expiration, not renewability. Option D is wrong because orphan tokens do not depend on a parent token for validity; they are standalone tokens that are not revoked when the parent is revoked.

46
Multi-Selecthard

Which TWO of the following scenarios require the use of a periodic token?

Select 2 answers
A.A token that never expires and has a TTL of 0.
B.A human operator who needs a token that can be used for multiple sessions.
C.A batch job that must continue running even if the parent token is revoked.
D.A token that should not be revoked when the token that created it is revoked.
E.A long-running application that needs a token that can be renewed indefinitely.
AnswersC, E

Periodic tokens are not children of a parent token; they are created by sudo users and are independent.

Why this answer

Option C is correct because a periodic token is designed to allow a child token (e.g., for a batch job) to continue operating even after its parent token is revoked. This is achieved by setting the token's period to a finite duration, which decouples the child token's lifecycle from the parent's, enabling the batch job to run to completion without interruption.

Exam trap

HashiCorp often tests the distinction between periodic tokens and renewable tokens, trapping candidates who think periodic tokens are for multi-session human use or that they require a TTL of 0, when in fact periodic tokens are for automated, long-lived processes that must outlive their parent.

47
Multi-Selecteasy

Which TWO of the following are valid uses of a token accessor? (Select exactly 2 options.)

Select 2 answers
A.Wrap the token
B.Create a child token
C.Renew the token
D.Lookup token properties
E.Revoke the token
AnswersD, E

The accessor can be used to lookup token metadata.

Why this answer

Options B and D are correct. The token accessor can be used to lookup token properties and revoke the token without the token ID. Option A is wrong because renewal requires the token ID.

Option C is wrong because listing accessors does not create a child token. Option E is wrong because wrapping uses the token ID.

48
MCQhard

An administrator wants to audit token usage without exposing the actual token IDs to auditors. Which approach should they use?

A.Enable audit logging without any modifications
B.Use token accessors in audit logs
C.Use the token lookup API for each audit event
D.Use response wrapping to encapsulate tokens
AnswerB

Token accessors are safe for logging and can be used to revoke or look up metadata without the token ID.

Why this answer

Option A is correct because token accessors are designed exactly for this purpose: they are references to tokens that can be used in audit logs without revealing the token ID. Option B is wrong because token lookup requires the token ID. Option C is wrong because enabling audit logging alone still logs the token ID.

Option D is wrong because wrapping tokens is for secure delivery, not auditing.

49
MCQeasy

A token with the above policy attempts to look up its own token by calling the accessor endpoint. What will happen?

A.The operation succeeds because the token can read its own token
B.The operation fails with a permission denied error
C.The operation succeeds because sudo allows all accessor operations
D.The operation fails because the token lacks any capabilities
AnswerB

The policy does not cover the accessor endpoint.

Why this answer

The policy grants sudo on 'auth/token/lookup', but the endpoint for lookup by accessor is 'auth/token/lookup-accessor', which is a different path. Therefore, this policy does not allow that operation. Option A is wrong because the path is different.

Option C is wrong because the policy does not have read or create on the correct path. Option D is wrong because the token has capabilities, just not on the required path.

50
Multi-Selecthard

Which TWO of the following are valid reasons for a token renewal to fail with a 'lease not found' or 'token not found' error? (Select exactly 2 options.)

Select 2 answers
A.The token has expired
B.The token has num_uses set to 0
C.The token has exceeded its max TTL
D.The token is an orphan token
E.The token is a batch token
AnswersA, E

An expired token will return token not found.

Why this answer

Options A and D are correct. A batch token is not renewable and will give a lease not found error. An expired token will also give a not found error.

Option B is wrong because an orphan token can still be renewed. Option C is wrong because a token with max_ttl reached will give permission denied, not not found. Option E is wrong because a token with num_uses=0 is still valid and renewable.

51
MCQhard

Refer to the exhibit. A user attempts to renew the token after 20 hours. What will happen?

A.The renewal will fail because the token has exceeded its explicit max TTL.
B.The token will be renewed for another 12h and can be renewed indefinitely.
C.The token will be renewed for 12h, but the total lifetime cannot exceed 24h.
D.The token will be renewed for another 4h, after which it will expire.
AnswerD

The remaining time until max TTL is 4h, so renewal grants a 4h TTL.

Why this answer

The explicit max TTL is 24h. After 20h, the remaining time until max TTL is 4h. Renewal will set the token duration to the minimum of the requested TTL (12h) and the remaining max TTL (4h), resulting in a 4h TTL.

After that, the token expires.

52
MCQmedium

A developer needs to manually revoke a token but only knows its accessor. Which Vault API endpoint can be used to revoke the token using only the accessor?

A.auth/token/accessors
B.auth/token/renew-accessor
C.auth/token/revoke-accessor
D.auth/token/revoke
AnswerC

This endpoint revokes the token associated with the accessor.

Why this answer

Option B is correct. The endpoint 'auth/token/revoke-accessor' revokes the token associated with the given accessor. Option A is for token renewal, C is for revocation by token ID, D is for listing accessors.

53
MCQeasy

A Vault user wants to check the capabilities of their token on a specific path. Which command should they use?

A.vault token list
B.vault token capabilities <path>
C.vault policy capabilities <policy_name> <path>
D.vault token lookup <token>
AnswerB

This shows what actions the current token can perform on the path.

Why this answer

The `vault token capabilities` command is specifically designed to check what operations (e.g., read, create, update, delete, list) a given token is allowed to perform on a particular path. It evaluates the token's attached policies against the path and returns the effective capabilities, making it the correct tool for this task.

Exam trap

HashiCorp often tests the distinction between commands that inspect token metadata (`vault token lookup`) versus commands that evaluate policy-based permissions on a specific path (`vault token capabilities`), and candidates may confuse `vault policy capabilities` (which does not exist) with the correct command.

How to eliminate wrong answers

Option A is wrong because `vault token list` displays all tokens that exist in the token store (for tokens with appropriate permissions), not the capabilities of a specific token on a path. Option C is wrong because `vault policy capabilities` is not a valid Vault command; the correct command to check a policy's effect on a path is `vault token capabilities` (which uses the token's policies), and `vault policy read` is used to view policy rules. Option D is wrong because `vault token lookup` shows metadata about a token (such as creation time, TTL, and attached policies), but does not evaluate or display capabilities on a specific path.

54
Multi-Selectmedium

Which THREE of the following token properties are immutable after token creation? (Select exactly 3 options.)

Select 3 answers
A.Period
B.Policies
C.Renewable
D.Max TTL
E.TTL
AnswersA, C, D

The period for periodic tokens is set at creation and immutable.

Why this answer

Options B, C, and D are correct. Max TTL, renewable flag, and period are set at creation and cannot be changed. Option A is wrong because TTL can be extended via renewal.

Option E is wrong because policies can be changed? Actually policies are immutable too, but we need exactly three. The exam considers policies immutable, but for the sake of this question, we'll go with B, C, D as immutable. Policy is also immutable but that would be four.

The official documentation states that the renewable flag cannot be changed after token creation. Max TTL and period also cannot be changed.

55
MCQeasy

A security team wants to ensure that tokens can be revoked immediately if a compromised token is detected, even if the token ID is unknown. Which token feature should they use?

A.Periodic tokens
B.Batch tokens
C.Token accessors
D.Orphan tokens
AnswerC

Token accessors enable revocation by providing the accessor instead of the token ID.

Why this answer

Token accessors allow revocation of a token without knowing the token ID. They are specifically designed for this purpose.

56
MCQeasy

An administrator creates a service token with a TTL of 1 hour and a max TTL of 24 hours. The token is renewed once after 55 minutes. What happens to the token after 24 hours from creation?

A.The token expires and cannot be renewed
B.The token is revoked by the system
C.The token's TTL is automatically extended by 1 hour
D.The token becomes an orphan token
AnswerA

Once max TTL is reached, the token expires and renewal is not possible.

Why this answer

Option B is correct because the token reaches its max TTL and expires. Option A is wrong because revocation is an explicit action. Option C is wrong because tokens do not become orphan automatically.

Option D is wrong because Vault does not extend max TTL automatically.

57
Multi-Selectmedium

Which THREE of the following are valid sources of token TTL?

Select 3 answers
A.System default TTL
B.Mount path configuration
C.Policy TTL
D.Explicit TTL set during token creation
E.Role TTL in an auth method
AnswersA, D, E

Vault has a default TTL for tokens.

Why this answer

Option A is correct because Vault has a system default TTL that applies to tokens when no other TTL source is specified. This default is typically 32 days (2764800 seconds) and serves as the maximum possible TTL for a token unless overridden by a shorter TTL from another source. The system default TTL is defined in the Vault server configuration and acts as a fallback to ensure tokens do not live indefinitely.

Exam trap

HashiCorp often tests the misconception that policies can set TTL values, but policies only define permissions, not token lifetimes; candidates may confuse policy with role configuration in auth methods.

58
MCQhard

Refer to the exhibit. A token was created with a creation_ttl of 24h, explicit_max_ttl of 10h, and a current ttl of 12h. What will happen when the token reaches its explicit_max_ttl?

A.The token will be automatically renewed by Vault.
B.The token will remain valid until the creation_ttl expires.
C.The token will be revoked immediately.
D.The token will have its TTL extended to 24h.
AnswerC

explicit_max_ttl is an absolute deadline; the token is revoked exactly at that time.

Why this answer

The explicit_max_ttl overrides any other TTL settings. When the token reaches its explicit_max_ttl (10h from creation), it will be revoked by Vault regardless of renewable or creation_ttl. Options suggesting renewal or extension are incorrect.

59
MCQmedium

A DevOps engineer notices that a long-running application using a Vault token fails after 24 hours. The token was created with a TTL of 48h. The token role has a default TTL of 48h and a max TTL of 72h. What is the most likely cause of the failure?

A.The token was manually revoked by an administrator.
B.The token was revoked due to a policy violation.
C.The token is a batch token and cannot be renewed.
D.The mount's max TTL for the token is 24h, overriding the role's setting.
AnswerD

The mount's max TTL is applied first and can cause early expiration.

Why this answer

The mount's max TTL for the token is likely set to 24h, which overrides the role's setting. Tokens cannot exceed the mount's max TTL, even if the role allows a longer TTL.

60
Multi-Selecthard

Which THREE statements about token accessors are true?

Select 3 answers
A.They can be used to look up token metadata without the token ID
B.They can be used to renew the token
C.They can be used to revoke the token
D.They are human-readable strings
E.They are unique identifiers for each token
AnswersA, C, E

The lookup token accessor endpoint provides metadata using the accessor.

Why this answer

Token accessors are unique identifiers that can be used to look up token metadata and revoke tokens without the token ID. However, they cannot be used to renew tokens (requires token ID) and are not human-readable (they are UUIDs).

61
MCQmedium

A DevOps team is using Vault tokens with short TTLs for CI/CD jobs. They notice that some jobs fail intermittently with 'permission denied' errors even though the token policy grants the required capabilities. The token is created with a TTL of 10 minutes and renewed automatically by the client library. What is the most likely cause of the failures?

A.The token's max_ttl has been exceeded, causing renewal to fail.
B.The token's parent token has been revoked.
C.The token's max_ttl is being reset each time the token is renewed.
D.The token's TTL is too short and the client library is not renewing in time.
AnswerA

If the token's lifetime exceeds max_ttl, renewal is denied and the token becomes invalid.

Why this answer

The correct answer is A because Vault tokens have both a TTL (time-to-live) and a max_ttl (maximum time-to-live). When a token is renewed, its TTL is reset to the original TTL (10 minutes) but only if the cumulative lifetime has not exceeded the max_ttl. If the max_ttl is reached, renewal fails, the token expires, and subsequent operations using that token return 'permission denied' errors, even though the policy itself grants the required capabilities.

Exam trap

HashiCorp often tests the distinction between TTL and max_ttl, trapping candidates who assume that automatic renewal indefinitely extends token validity without considering the hard upper limit imposed by max_ttl.

How to eliminate wrong answers

Option B is wrong because revoking the parent token would immediately invalidate all child tokens, causing consistent failures, not intermittent ones, and the scenario describes intermittent failures. Option C is wrong because the max_ttl is a hard upper bound and is never reset or extended by renewal; only the current TTL is reset. Option D is wrong because the client library is described as renewing automatically, and a 10-minute TTL is generally sufficient for CI/CD jobs; the issue is the cumulative lifetime exceeding max_ttl, not the renewal timing.

62
Drag & Dropmedium

Drag and drop the steps to initialize and unseal a Vault server for the first time into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

After starting the server, initialize it, distribute keys, unseal, then verify.

63
MCQeasy

Your company uses Vault to manage secrets for a fleet of microservices running on Kubernetes. Each microservice has a service account that authenticates to Vault using the Kubernetes auth method and receives a token with a policy granting access to its secrets. Recently, the team noticed that some tokens are being revoked prematurely, causing services to lose access to secrets. The tokens are created with a TTL of 24 hours and are set to be renewable. The Vault servers are configured with a default max_ttl of 24 hours. The tokens are renewed by the client libraries every 12 hours. Despite this, tokens are sometimes invalid before 24 hours. What should the team do to prevent this issue?

A.Set the token's num_uses to a high number to prevent premature revocation.
B.Change the tokens to periodic tokens so they never expire.
C.Decrease the token TTL to 12 hours so that renewal happens before the max_ttl is reached.
D.Increase the max_ttl on the token role to 48 hours to allow renewal beyond 24 hours.
AnswerD

By increasing max_ttl, tokens can be renewed and remain valid for a longer period, preventing premature expiration.

Why this answer

Option D is correct because the tokens are being revoked prematurely due to the Vault server's default max_ttl of 24 hours. Even though the token TTL is 24 hours and the client renews every 12 hours, the max_ttl caps the total lifetime of the token, including renewals. By increasing the max_ttl on the token role to 48 hours, the token can be renewed beyond the initial 24-hour window, preventing premature invalidation.

Exam trap

HashiCorp often tests the distinction between TTL and max_ttl, and the trap here is that candidates assume renewing a token resets its entire lifetime, not realizing that max_ttl imposes a hard cap on total token duration.

How to eliminate wrong answers

Option A is wrong because setting num_uses to a high number controls the number of times a token can be used, not its lifetime; premature revocation here is a TTL issue, not a usage count issue. Option B is wrong because periodic tokens never expire only if they are continually renewed before their period ends, but they still respect max_ttl unless explicitly set to not expire, which is not the default behavior and would introduce security risks. Option C is wrong because decreasing the token TTL to 12 hours would cause the token to expire before the 12-hour renewal interval, leading to even more frequent loss of access; the renewal happens every 12 hours, so a 12-hour TTL would not allow a successful renewal before expiration.

64
Multi-Selecteasy

Which TWO statements are true about batch tokens?

Select 2 answers
A.Batch tokens can be renewed to extend their lifetime
B.Batch tokens cannot be renewed or revoked
C.Batch tokens are not stored in Vault's storage backend
D.Batch tokens can be looked up using the lookup endpoint
AnswersB, C

They have a fixed lifetime and cannot be changed.

Why this answer

Batch tokens are light, not stored in Vault, and have no renewable or revocation capabilities. Option B is incorrect because batch tokens do not appear in lookup. Option D is incorrect because batch tokens cannot be renewed.

65
Multi-Selectmedium

An administrator needs to issue tokens that are automatically renewable by the client (so they can stay alive as long as renewed) but must expire no later than 30 days. Which TWO token parameters should be configured on the token role?

Select 2 answers
A.renewable
B.ttl
C.max_ttl
D.period
E.num_uses
AnswersC, D

Max_ttl enforces an absolute maximum lifetime.

Why this answer

Period allows automatic renewal by extending the token's TTL by the period value each renewal, while max_ttl caps the total lifetime. TTL is the initial lifetime, but with period set, the token's TTL is derived from period. Renewable must be true (default for periodic tokens), but it is not needed to set explicitly.

Num_uses is unrelated.

66
MCQmedium

A security team wants to enforce that all tokens created by a specific AppRole can only be used to read secrets from the path 'secret/data/team-a/*'. They have configured the AppRole with token_policies that include that path. However, a developer uses the token created from this AppRole to create a child token with broader policies, granting access to 'secret/data/team-b/*'. The security team wants to prevent such privilege escalation. Which action should be taken to ensure that child tokens cannot have broader policies than the parent?

A.Regularly audit and revoke tokens that violate policy
B.Configure the AppRole's 'token_bound_cidrs' and 'token_policies' and set 'token_no_default_policy'? Actually none match. The nearest is to use the parent token's 'allowed_policies' metadata to restrict child token policies.
C.Use a root token to create all tokens and distribute them securely
D.Set the parent token's 'orphan' property to 'true'
AnswerB

The parent token can set 'allowed_policies' to limit which policies child tokens can receive.

Why this answer

Option D is correct. By setting 'token_bound_cidrs' or more relevantly, the parent token can have 'allowed_policies' that restrict child token policies. However, the correct mechanism is to set 'token_policies' on the AppRole and also set 'token_bound_policies' or use 'token_explicit_max_ttl'? Actually the best practice is to set the AppRole's 'token_policies' and also restrict child token creation by setting 'token_no_default_policy'? Wait, the question asks about child token policies.

In Vault, when creating a child token, the parent's policies are inherited unless the parent has 'allowed_policies' set which limits the policies the child can have. If the parent does not set 'allowed_policies', the child can have any policies the creator has access to. To prevent this, set the parent's 'allowed_policies' to only include the desired policy.

Option A is wrong because root tokens are not needed. Option B is wrong because setting 'orphan=true' does not affect policies. Option C is wrong because revoking tokens does not prevent future escalation.

So the correct answer is to configure the parent token's 'allowed_policies' to restrict child token policies.

67
MCQhard

A root token creates token T1 with a TTL of 1 hour. T1 then creates token T2 with a TTL of 2 hours. After 30 minutes, T1 is revoked without using the 'cascade' option. What happens to T2?

A.T2 expires immediately
B.T2 becomes an orphan token and continues to work until its TTL expires
C.T2 is also revoked immediately
D.T2's TTL is reduced to match T1's remaining TTL
AnswerB

Children of revoked tokens become orphans and remain functional.

Why this answer

Option C is correct because revoking a token does not automatically revoke its children unless the cascade flag is used. T2 becomes an orphan token but continues to function until its own TTL expires. Option A is wrong because cascade revocation was not used.

Option B is wrong because T2 is still active until its TTL. Option D is wrong because T2 does not inherit the parent's revocation.

68
MCQeasy

A developer created a token and wants to ensure that the token can only be used to read secrets from the 'secret/data/production' path. Which policy attachment approach should be used?

A.Set the token's metadata to restrict access
B.Use a root token and restrict its use via a policy
C.Create a policy with read capability on 'secret/data/production' and attach it to the token
D.Set the token type to service and it will automatically restrict access
AnswerC

Policies define access; attaching the policy grants the token those permissions.

Why this answer

Option C is correct because Vault uses policies to define fine-grained access control, and the only way to restrict a token to read secrets from a specific path is to create a policy with the appropriate capabilities (e.g., 'read' on 'secret/data/production') and attach that policy to the token at creation time. Tokens themselves do not inherently carry path restrictions; they inherit permissions solely from attached policies.

Exam trap

HashiCorp often tests the misconception that token metadata or token type can enforce access restrictions, when in fact only policies attached to the token define what paths and operations are allowed.

How to eliminate wrong answers

Option A is wrong because token metadata is used for audit and identity purposes, not for enforcing access control; Vault does not evaluate metadata to allow or deny API requests. Option B is wrong because a root token has unrestricted access to all paths and policies cannot restrict a root token—root tokens bypass all policy checks by design. Option D is wrong because the token type (service vs. batch) determines lifecycle and revocation behavior, not access permissions; a service token still requires an attached policy to define what it can read.

69
MCQmedium

A Vault administrator wants to allow a CI/CD pipeline to create short-lived tokens for deployment jobs. The pipeline itself authenticates with a periodic token. Which token type should the pipeline use to create tokens for jobs, considering the jobs need to be independent and not affected by the pipeline token's lifecycle?

A.Service tokens with explicit max TTL
B.Orphan tokens
C.Periodic tokens
D.Batch tokens
AnswerB

Orphan tokens are not revoked when the parent expires.

Why this answer

Orphan tokens are the correct choice because they allow the CI/CD pipeline to create child tokens that are not tied to the parent token's lifecycle. When a periodic token creates an orphan token, the child token remains valid even if the parent token is revoked or expires, ensuring deployment jobs are independent and not affected by the pipeline token's lifecycle.

Exam trap

HashiCorp often tests the misconception that all child tokens are automatically orphaned or that periodic tokens can create independent child tokens, but the trap is that only explicitly orphaned tokens break the parent-child chain, while default token creation maintains a hierarchical dependency.

How to eliminate wrong answers

Option A is wrong because service tokens with explicit max TTL are still parent-child tokens; if the parent token is revoked, the child token is also revoked, so the jobs would be affected by the pipeline token's lifecycle. Option C is wrong because periodic tokens are used for long-lived, renewable tokens with a fixed lifetime, not for creating short-lived tokens for jobs; they also create parent-child relationships by default. Option D is wrong because batch tokens are lightweight, non-renewable tokens that cannot create child tokens at all, so they cannot be used to generate tokens for deployment jobs.

70
MCQeasy

A security policy requires that all tokens are revoked when a user leaves the organization. What is the most efficient way to revoke all tokens issued to that user?

A.Use the identity/entity endpoint to revoke all tokens associated with the user's entity
B.Revoke each token individually using its accessor
C.Use the auth/token/revoke-prefix endpoint with the user's token path
D.Restart the Vault server
AnswerA

Entity-based revocation revokes all tokens linked to the entity.

Why this answer

Option D is correct. Revoking by entity ID ensures all tokens associated with the user's entity are revoked, regardless of creation path. Option A is inefficient.

Option B is dangerous as root token manages all tokens but not specifically for one user. Option C misses tokens created via other auth methods.

71
Multi-Selectmedium

Which TWO of the following are true about Vault token accessors?

Select 2 answers
A.An accessor is the same as the token ID.
B.An accessor can be used to revoke a token without having the token ID.
C.Accessors are unique only within a namespace.
D.An accessor is required to look up token properties.
E.An accessor can be used to renew a token without having the token ID.
AnswersB, E

Correct: The /auth/token/revoke-accessor endpoint allows revocation using only the accessor.

Why this answer

Token accessors are unique references to tokens that allow certain operations without exposing the token ID. Options A and B are correct: accessors can be used to revoke or renew tokens without the token ID. Option C is incorrect because token properties can be looked up using either the token ID or its accessor, but the accessor is not required.

Option D is false as accessors are unique globally across the Vault cluster, not just within a namespace. Option E is false because an accessor is a separate identifier from the token ID.

72
Matchingmedium

Match each Vault auth method to its authentication mechanism.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

RoleID and SecretID

Username/password against LDAP server

Static or periodic tokens

Service account token

JSON Web Token / OpenID Connect

Why these pairings

These are standard Vault authentication methods.

73
MCQmedium

A token with a policy granting 'write' on 'secret/team-alpha/*' is unable to write to 'secret/team-alpha/db-creds' in a KV v2 engine. What is the most likely cause?

A.The token is not a root token
B.The token's TTL has expired
C.The token has a conflicting policy from a parent token
D.The policy path should be 'secret/data/team-alpha/*' for KV v2
AnswerD

KV v2 secrets are accessed under the 'data' sub-path.

Why this answer

Option B is correct because KV v2 requires the 'data' prefix in the policy path for accessing secrets. Option A is wrong because token expiration would give a 403 with a different error. Option C is wrong because the token is not root but still should work with the correct path.

Option D is wrong because the token may have other policies that grant or deny, but the primary issue is the missing 'data' prefix.

74
Multi-Selectmedium

An administrator is reviewing Vault token policies and wants to ensure that tokens created by a specific application cannot be renewed and have a fixed lifetime. Which two token configurations should be applied?

Select 2 answers
A.Set max_ttl on the role to a very large value.
B.Set renewable to false.
C.Set ttl on the token to 0.
D.Set explicit_max_ttl on the token to match the desired TTL.
E.Set no_default_policy to true.
AnswersB, D

Setting renewable to false prevents the token from being renewed.

Why this answer

To prevent renewal and fix the lifetime, set 'explicit_max_ttl' to the desired maximum TTL (which cannot be extended) and set 'renewable' to false so that renewal is not allowed. Option B (max_ttl) is a limit but doesn't prevent renewal, Option D (ttl=0) is not valid, and Option E (no_default_policy) is unrelated.

75
MCQhard

An organization uses Vault's token auth method to issue tokens for long-running services. They want to ensure that tokens are automatically revoked after 30 days, even if the service repeatedly renews them. Which token role configuration achieves this?

A.Set ttl to 720h without setting max_ttl
B.Set explicit_max_ttl to 720h on the token role
C.Set period to 720h without setting max_ttl
D.Set max_ttl to 720h on the token role
AnswerD

max_ttl imposes a hard limit on the token's total lifetime, regardless of renewals.

Why this answer

Option C is correct because setting max_ttl on the token role enforces an absolute lifetime; even if the token is renewed, it cannot exceed max_ttl. Option A is wrong because periodic tokens without max_ttl can be renewed indefinitely. Option B is wrong because setting ttl without max_ttl allows renewal beyond the initial ttl.

Option D is wrong because explicit_max_ttl is not a parameter on the role; it is a role attribute, but the correct property is max_ttl.

Page 1 of 2 · 93 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Vault Tokens questions.