CCNA Vault Tokens Questions

18 of 93 questions · Page 2/2 · Vault Tokens topic · Answers revealed

76
MCQeasy

A user forgets to renew their token before it expires. What happens to the token and its associated leases?

A.The token becomes invalid but can be renewed within a grace period
B.The token is revoked and all its leases are revoked
C.The token is automatically renewed for another period
D.The token remains active but read-only
AnswerB

Expiration leads to revocation of the token and its leases.

Why this answer

Option C is correct because when a token expires, Vault automatically revokes it and all leases created by it. Option A is wrong because the token is not automatically renewed. Option B is wrong because the token is revoked, not just deactivated.

Option D is wrong because the token cannot be used after expiration.

77
MCQhard

An administrator wants to ensure that a token created by a user cannot be used after 24 hours, even if the user tries to renew it. What should the administrator do?

A.Use a periodic token with a period of 24h
B.Create an orphan token with a TTL of 24h
C.Use a batch token
D.Set explicit max TTL on the token to 24h
AnswerD

Explicit max TTL cannot be exceeded by renewal.

Why this answer

Option D is correct because setting an explicit max TTL on the token to 24h ensures that the token's lifetime cannot be extended beyond 24 hours, even if the user attempts to renew it. In Vault, the `explicit_max_ttl` parameter overrides any renewal requests, enforcing a hard upper limit on the token's validity. This directly addresses the requirement that the token cannot be used after 24 hours, regardless of renewal attempts.

Exam trap

The trap here is that candidates confuse TTL (time-to-live, which can be extended via renewal) with explicit max TTL (which sets a hard, non-renewable expiration), leading them to choose periodic or orphan tokens that allow indefinite renewal.

How to eliminate wrong answers

Option A is wrong because a periodic token with a period of 24h can be renewed indefinitely as long as the renewal occurs within the period, allowing the token to exist beyond 24 hours. Option B is wrong because an orphan token with a TTL of 24h can still be renewed before expiration, extending its lifetime beyond the initial 24-hour window. Option C is wrong because a batch token is designed for high-throughput, short-lived operations and does not inherently enforce a hard maximum lifetime; it can be renewed or have its TTL extended unless explicitly constrained.

78
MCQmedium

A security analyst discovers that a token used by a legacy application is still active long after the application was decommissioned. Which Vault feature should have been used to automatically expire tokens when the application is no longer running?

A.Enable token renewal to keep it alive
B.Use a periodic token and revoke it manually
C.Set a TTL on the token
D.Use a batch token to limit its lifetime
AnswerC

TTL ensures the token expires automatically.

Why this answer

Option C is correct because setting a Time-To-Live (TTL) on the token ensures it automatically expires after a specified duration, even if the application is decommissioned. This prevents orphaned tokens from remaining active indefinitely, which is a security risk. Vault's TTL mechanism is designed to enforce token lifetime limits without requiring manual intervention.

Exam trap

The trap here is that candidates confuse token renewal (which extends lifetime) with TTL-based expiration, or they assume manual revocation is sufficient for automated lifecycle management, missing the need for automatic expiry via TTL.

How to eliminate wrong answers

Option A is wrong because enabling token renewal keeps the token alive indefinitely by renewing its lease, which is the opposite of what is needed to automatically expire the token. Option B is wrong because a periodic token has no fixed TTL and requires manual revocation, which does not provide automatic expiration when the application stops running. Option D is wrong because batch tokens are designed for high-throughput, non-renewable workloads but still require an explicit TTL or explicit revocation; they do not inherently limit lifetime based on application lifecycle.

79
MCQmedium

Refer to the exhibit. A developer tries to renew a token and receives this error. The token was created using 'vault token create -type=batch'. What is the most likely cause of this error?

A.The token is a service token and has expired
B.The token is a batch token
C.The token is a periodic token and its period has expired
D.The token is an orphan token
AnswerB

Batch tokens are not renewable and return a 'no matching lease' error.

Why this answer

Option C is correct. Batch tokens are not renewable, and attempting to renew them results in a 'no matching lease' error because they do not have an associated lease. Option A is wrong because service tokens are renewable.

Option B is wrong because periodic tokens are renewable. Option D is wrong because the token type is not orphan.

80
MCQmedium

A security audit requires tracking token usage without exposing the token value itself. Which token attribute should be logged?

A.Token value
B.Creation TTL
C.Token accessor
D.Policy list
AnswerC

Accessor is a non-sensitive reference for token operations.

Why this answer

The token accessor is a non-sensitive identifier that can be used for token lifecycle operations without revealing the token. Option B is wrong because the token value is sensitive and should not be logged. Option C is wrong because the creation TTL is not a unique identifier.

Option D is wrong because the policies are set at creation and do not uniquely identify a token.

81
MCQeasy

A development team needs tokens that can be renewed automatically as long as they are still in use, up to a maximum lifetime of 72 hours. Which token type and configuration should be used?

A.Periodic token with a TTL of 72h
B.Orphan token with a TTL of 1h
C.Batch token with a TTL of 72h
D.Service token with a TTL of 1h and max TTL of 72h
AnswerD

Service tokens can be renewed until max TTL is reached.

Why this answer

Service tokens with a max TTL of 72h allow renewal up to that limit. Option B is wrong because batch tokens cannot be renewed. Option C is wrong because periodic tokens have no max TTL by default (infinite), not a 72h limit.

Option D is wrong because orphan is not a token type, it's a property.

82
MCQhard

An organization uses Vault with AWS IAM auth. After rotating the AWS IAM role credentials, users are unable to authenticate with Vault. The Vault audit logs show 'permission denied' for the AWS auth method. What is the most likely cause?

A.The IAM role trust policy was not updated after credential rotation
B.The Vault token TTL expired
C.The client token used for AWS auth is revoked
D.The AWS secret engine is disabled
AnswerA

The trust policy must allow the new credentials to assume the role.

Why this answer

When AWS IAM role credentials are rotated, the trust policy attached to the IAM role must be updated to reflect the new credentials (access key and secret key) that Vault uses to call the AWS STS API. If the trust policy still references the old credentials, Vault's AWS auth method cannot validate the login request, resulting in a 'permission denied' error in the audit logs. This is the most likely cause because the rotation directly breaks the trust relationship between Vault and AWS.

Exam trap

HashiCorp often tests the misconception that credential rotation only affects the client's AWS credentials, not the trust relationship between Vault and AWS, leading candidates to incorrectly choose token-related options like B or C.

How to eliminate wrong answers

Option B is wrong because a Vault token TTL expiry would cause authentication failures for subsequent requests using that token, not for the initial AWS auth method login itself, and the audit log would show a different error (e.g., 'token expired'). Option C is wrong because the client token used for AWS auth is the temporary token returned by the AWS auth method after successful login; if it were revoked, the error would occur after authentication, not during the AWS auth method call. Option D is wrong because if the AWS secret engine were disabled, the audit log would show an 'engine disabled' or 'path not found' error, not a 'permission denied' error specific to the AWS auth method.

83
MCQmedium

A company uses Vault to issue tokens for short-lived tasks. They have configured a token role with 'period' set to 30 minutes and 'explicit_max_ttl' set to 24 hours. Tokens are created using the role and are expected to be renewed every 30 minutes by the tasks. However, after a few renewals, the Vault audit logs show that a token was renewed but then immediately expired. The task that was using the token failed. What is the most likely reason for this behavior?

A.The token reached its 'explicit_max_ttl' of 24 hours, and renewal is no longer possible.
B.The token was created by a root token and root tokens are not subject to periodic renewal.
C.The token was a batch token and batch tokens cannot be renewed at all.
D.The token was an orphan token and cannot be renewed more than a few times.
AnswerA

Correct: Periodic tokens cannot exceed explicit_max_ttl; after 24 hours, renewal fails and token expires.

Why this answer

Periodic tokens have a maximum TTL that cannot be exceeded. The 'period' defines how long the token lives before it needs renewal. When a token is renewed, the new TTL is set to the less of the period and the remaining time until the max TTL.

If the token reaches the maximum TTL, renewal will fail or the token will expire. Option A is correct because the explicit_max_ttl caps the total lifetime. Option B is incorrect because orphan status does not cause immediate expiry after renewal.

Option C is incorrect because root tokens bypass many controls but not necessarily max TTL. Option D is incorrect because batch tokens are not renewable by design.

84
MCQmedium

The token was created 12 hours ago and has not been used yet. What will happen if the token is not used or renewed?

A.It can be renewed indefinitely if used
B.It will expire when the number of uses reaches 0
C.It will expire immediately because it was not used within 12 hours
D.It will expire in 12 hours
AnswerD

The current TTL is 12h, so without renewal, it expires in 12 hours.

Why this answer

Option A is correct because the ttl is 12h, so the token will expire in 12 hours. Option B is wrong because the token does not expire immediately after creation; it has a TTL. Option C is wrong because although renewable is true, it must be renewed before expiry.

Option D is wrong because num_uses is 5, but the token will still expire after TTL.

85
MCQhard

An application uses a periodic token with period=24h. The application renews every 12h. After 48h, the token is still valid. After 72h, the token is still valid. What is the maximum lifetime of this periodic token?

A.Unlimited (as long as it keeps renewing)
B.72h
C.48h
D.24h
AnswerA

Periodic tokens have no max TTL and can be renewed indefinitely.

Why this answer

Periodic tokens have no max TTL; they can be renewed indefinitely as long as renewal occurs within the period (24h). Thus, the token can last forever if renewed in time.

86
MCQeasy

A developer needs a token that can be used only 5 times and must expire after 24 hours, regardless of the number of uses. Which token creation method should be used to enforce these constraints?

A.Create a token directly with num_uses=5
B.Use a token role with num_uses=5 and ttl=24h
C.Create a token directly with ttl=24h
D.Create a periodic token with period set to 24h
AnswerB

Token roles allow explicit limits on both number of uses and time-to-live.

Why this answer

Option B is correct because token roles allow setting num_uses and ttl, which can be used together to enforce both limits. Option A is wrong because using the root token is insecure and doesn't enforce limits. Option C is wrong because setting num_uses alone doesn't enforce time limit.

Option D is wrong because setting ttl alone doesn't enforce use limit.

87
MCQeasy

An engineer wants to list all tokens associated with a specific token accessor. Which API endpoint should be used?

A.auth/token/lookup-accessor
B.auth/token/accessors/
C.auth/token/lookup
D.auth/token/list
AnswerA

This returns token details for the given accessor.

Why this answer

The endpoint auth/token/lookup-accessor returns token information including the token's properties and policies, but not the token value. It can be used to look up token details by accessor. Option A is wrong because auth/token/lookup looks up by token value.

Option C is wrong because auth/token/list lists accessors, not lookup by accessor. Option D is wrong because auth/token/accessors/ is not a valid path.

88
MCQhard

A company uses HashiCorp Vault in production to manage secrets for its microservices. One microservice, 'order-svc', authenticates via AppRole and receives a service token with a TTL of 24 hours and a max TTL of 48 hours. Over the past few days, operations teams report that 'order-svc' fails to renew its token after approximately 23 hours, causing authentication failures. The token lookup shows the token is still alive with about 1 hour of TTL remaining, but renewal attempts return a 'permission denied' error. The Vault audit logs show the renewal request is reaching Vault and being denied. The token's policies include 'path "auth/token/renew-self" { capabilities = ["update"] }'. The token was created with the default options. What is the most likely cause of this failure?

A.The token's parent token has been revoked, making it an orphan
B.The token is a batch token and cannot be renewed
C.The token has already been renewed up to its max TTL, so further renewal would exceed the max
D.The token's num_uses has reached zero
AnswerC

The max TTL of 48 hours has been nearly reached after multiple renewals, so the next renewal is denied.

Why this answer

Option A is correct. The token's explicit max TTL is 48 hours, but the token was created 23 hours ago, so the remaining max TTL is 25 hours. However, the renewal request reduces the remaining max TTL? Actually renewal extends the TTL by the specified increment but cannot exceed max TTL.

If the token was renewed multiple times already, it may have consumed most of the max TTL, and the last renewal attempt would push it above the max, resulting in a permission denied error. The error 'permission denied' indicates the token's capabilities are not sufficient or the operation is not allowed due to max TTL constraints. Option B is wrong because the token is not a batch token (it's service).

Option C is wrong because num_uses=0 means unlimited uses. Option D is wrong because the token is not orphan.

89
MCQmedium

A security team wants to issue tokens that can be used for exactly 10 API calls, after which they must be renewed. Which two token parameters should be set on the token role?

A.period and num_uses
B.ttl and renewable
C.ttl and num_uses
D.num_uses and renewable
AnswerD

num_uses limits the uses, and renewable allows renewal after the limit is reached.

Why this answer

Option D is correct: num_uses=10 restricts to 10 uses, and renewable=true allows renewal after the uses are exhausted (if the user requests renewal before the token expires). Option A is wrong because period is for periodic tokens, not for limited use. Option B is wrong because ttl alone does not limit uses.

Option C is wrong because ttl and num_uses together would not allow renewal after uses exhausted without renewable being true.

90
Multi-Selecteasy

Which TWO statements about batch tokens are true?

Select 2 answers
A.They are lightweight and support a high creation rate.
B.They cannot be used with a use-limit.
C.They support explicit max TTL.
D.They have a TTL.
E.They are renewable.
AnswersA, D

Batch tokens are designed for high throughput and are lightweight.

Why this answer

Batch tokens are lightweight and support a high creation rate, and they have a TTL (which cannot be renewed). They do not support explicit max TTL (they have TTL and no renewal), and they can have a use-limit.

91
MCQhard

A Vault cluster has a token with the following policy: path "secret/data/dev/*" { capabilities = ["read", "list"] }. The token is used to read a secret at "secret/data/dev/password". The read succeeds. Later, the token tries to read "secret/data/prod/password". What happens?

A.Fails with a system error.
B.Succeeds because token has read capability on all secrets.
C.Succeeds because the token can list and read any path.
D.Fails because the token needs an explicit policy for "secret/data/prod/".
AnswerD

The token's policy only covers "dev/*", not "prod/*".

Why this answer

The token does not have permissions on the "secret/data/prod/" path, so the read fails with a permission denied error.

92
MCQhard

An application's token is failing to renew, and the logs show 'token not renewable'. The token was created with a TTL of 24h and no explicit max TTL. What is the most likely cause?

A.The token was created with the renewable flag set to false
B.The token has been renewed too many times, exceeding its TTL
C.The token accessor is invalid
D.The token's max TTL has been reached
AnswerA

If renewable=false, Vault rejects renewal requests.

Why this answer

If the token was created with a TTL but not explicitly marked as renewable, the token's renewable flag is false by default for service tokens. Option A is wrong because token accessors are used for lifecycle actions but don't affect renewability. Option B is wrong because TTL extension happens on renewal, not the cause of failure.

Option D is wrong because max TTL would only affect renewals beyond that limit, not prevent all renewals.

93
Drag & Dropmedium

Drag and drop the steps to perform a Vault disaster recovery using the replication feature into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Initialize clusters, enable primary replication, generate token, enable secondary, promote if needed.

← PreviousPage 2 of 2 · 93 questions total

Ready to test yourself?

Try a timed practice session using only Vault Tokens questions.