Sample questions - Vault Associate (003)

HashiCorp Associate-level certification exams consist of true or false, multiple choice, and multiple answer question types. Below are some example questions to introduce you to the question format you will encounter on the exam.

The exam questions are not intended to trick you. The exam tests your knowledge of Terraform, not how well you spell or how good you are at identifying obscure details.

True or false questions

True or false questions present you with a statement and ask you to choose whether it is true or false.

Example

When Vault is sealed, it can access the physical storage but cannot read the data because it does not know how to decrypt them.

⬜ True
⬜ False

Batch tokens can be renewed indefinitely.

⬜ True
⬜ False

To seal a Vault, the client token must have the sudo capability on the sys/seal path.

⬜ True
⬜ False

Multiple choice questions

Multiple choice questions ask you to select one correct answer from a list.

Examples

Which statement is true about an orphan token?

⬜ It does not expire when its parent does
⬜ It is not persisted
⬜ It does not have a max time-to-live (TTL)
⬜ It has a use limit

Which path will this policy allow?

path "kv/+/team_*" {
    capabilities = [ "read" ]
}

⬜ kv/team_edu
⬜ kv/us-west/team
⬜ kv/us-west/team_edu
⬜ kv/us-west/ca/team_edu

An organization needs to protect sensitive application data currently stored in a database as plaintext. Which secrets engine provides a solution?

⬜ Key/Value v2 secrets engine
⬜ Cubbyhole secrets engine
⬜ Transit secrets engine
⬜ Database secrets engine

Which command will retrieve all enabled secrets engines?

⬜ vault secrets get
⬜ vault secrets read
⬜ vault secrets list
⬜ vault secrets move

You need to edit a policy, but the UI appears as shown. What is the problem?

⬜ This is an UI error. Contact support.
⬜ You don't have a permission to manage policies.
⬜ Vault UI does not support policy creation and management.
⬜ Use the command shell in UI to manage policies.

Based on the token lookup output, what type of token is it?

Key                 Value
---                 -----
accessor            n/a
creation_time       1646698338
creation_ttl        20m
display_name        token
entity_id           n/a
expire_time         2022-03-07T16:32:18-08:00
explicit_max_ttl    0s
id                  hvb.AAAAAQJyBEVE-vTWUrg0hcoIPuvKjjNxXXZ5MfsYVg2gJ0fGZpVi0IGTFfh4TqsoQIWaocNRXD1qzGXvhIHWJBM_rWU9YJY8sXOYVy_s1JAHasXJwGmZ_fBLJfSG6aCwQkCGwtAhYw
issue_time          2022-03-07T16:12:18-08:00
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default test]
renewable           false
ttl                 13m58s
type                batch

⬜ root
⬜ batch
⬜ orphan
⬜ periodic

Based on the token lookup output, how many times can the token be used?

Key                 Value
---                 -----
accessor            GMAlk9ZNLGOCuTrOEIAooJG3
creation_time       1646691009
creation_ttl        1h
display_name        token
entity_id           n/a
expire_time         2022-03-07T15:10:09.115115-08:00
explicit_max_ttl    0s
id                  hvs.CAESIJRM-T1q5lEjIWux1Tjx-VGqAYJdd4FZtbp1wpD5Ym9pGh4KHGh2cy5TSjRndGoxaU44NzNscm5MSlRLQXZ0ZGg
issue_time          2022-03-07T14:10:09.115118-08:00
meta                <nil>
num_uses            1
orphan              false
path                auth/token/create
policies            [default]
renewable           true
ttl                 58m14s
type                service

⬜ Until the TTL expires in 58m14s
⬜ 1 time
⬜ The token has expired because max TTL is already at 0s
⬜ This token does not expire because the default policy is attached

Multiple answer

Multiple answer questions ask you to select multiple correct answers from a list. The question indicates how many answers you must choose.

Examples

What is true of Vault tokens? Pick the 2 correct responses below

⬜ Vault tokens are generated by every authentication method login ⬜ Vault tokens are also known as unseal keys ⬜ Vault tokens are required for every Vault call ⬜ Vault token IDs always begin with "s." such as s.E7rOurS2n7m2Dt5409jWxR87 ⬜ Vault tokens are the core method for authentication in Vault

Which statements correctly describe the command below. Pick the 2 correct responses below

vault write transit/decrypt/password \
  ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==

⬜ Returns an error due to missing encryption key name ⬜ Returns base64-encoded plaintext ⬜ Decrypts the ciphertext if the token permits ⬜ Returns the ciphertext ⬜ Requires sudo capability on the transit/decrypt/password path

Which of the following statements explains the benefit of response wrapping? Pick the 2 correct responses below

⬜ Limits the time of secret exposure by having a short-lived wrapping token ⬜ Allow versioning of the secrets ⬜ It protects Vault's root key (previously known as master key) ⬜ Only the reference to the secrets is transmitted over the public network ⬜ Limits the size of secrets to be transmitted over the network

Your organization has recently adopted Vault open source. You have been asked to enable the Vault K/V Version 2 secrets engine by two different teams. Company policy states the teams can not share the same secrets engine. What are two possible solutions? Pick the 2 correct responses below

⬜ Enable the secrets engine at a dedicated path for each team using the -path parameter ⬜ Create a namespace for each of the teams and enable the secrets engine in the teams namespace ⬜ Only one type of secrets engine can be enabled on a Vault cluster ⬜ Deploy a second Vault cluster, one for each team ⬜ Enable the secrets engine at the default path and create policies that limit what each team can list, read, and write

Continue studying

To study all of the objectives tested on the exam, review the materials in our learning path. For a reference of the specific study materials that cover a particular exam objective, refer to the content list.

Sign up for the exam here!