Vault
Sample questions - Vault Associate (003)
Note
The material covered in these sample questions is for the Vault Associate 003 exam version, which is coming in early 2025. Switch to the Vault Associate 002 exam version if you need to take the exam in 2024.
The exam mainly consists of multiple choice and true/false questions. In addition, there are UI area selection questions. Some of the multiple choice questions are scenario-based questions to test your understanding of Vault 1.16 usages.
Below are some examples so you can familiarize yourself with the exam format.
True/false questions
Q1: When Vault is sealed, it can access the physical storage but cannot read the data because it does not know how to decrypt them.
🔘 True
🔘 False
✅ Correct: True
❌ Incorrect: False
Source: Vault Seal/Unseal
Q2: Batch tokens can be renewed indefinitely.
🔘 True
🔘 False
❌ Incorrect: True
✅ Correct: False
Source: Vault Tokens
Q3: To seal a Vault, the client token must have the sudo capability on the sys/seal
path.
🔘 True
🔘 False
✅ Correct: True
❌ Incorrect: False
Source: Vault /sys/seal
Select one
Q4: Which statement is true about an orphan token?
🔘 It does not expire when its parent does
🔘 It is not persisted
🔘 It does not have a max time-to-live (TTL)
🔘 It has a use limit
✅ Correct: It does not expire when its parent does
❌ Incorrect: It is not persisted
❌ Incorrect: It does not have a max time-to-live (TTL)
❌ Incorrect: It has a use limit
Source: Vault Token
Q5: Which path will this policy allow?
path "kv/+/team_*" {
capabilities = [ "read" ]
}
🔘 kv/team_edu
🔘 kv/us-west/team
🔘 kv/us-west/team_edu
🔘 kv/us-west/ca/team_edu
❌ Incorrect: kv/team_edu
❌ Incorrect: kv/us-west/team
✅ Correct: kv/us-west/team_edu
❌ Incorrect: kv/us-west/ca/team_edu
Source: Vault Policies
Q6: An organization needs to protect sensitive application data currently stored in a database as plaintext. Which secrets engine provides a solution?
🔘 Key/Value v2 secrets engine
🔘 Cubbyhole secrets engine
🔘 Transit secrets engine
🔘 Database secrets engine
❌ Incorrect: Key/Value v2 secrets engine
❌ Incorrect: Cubbyhole secrets engine
✅ Correct: Transit secrets engine
❌ Incorrect: Database secrets engine
Source: Vault Transit Secrets Engine
Q7: Which command will retrieve all enabled secrets engines?
🔘 vault secrets get
🔘 vault secrets read
🔘 vault secrets list
🔘 vault secrets move
❌ Incorrect: vault secrets get
❌ Incorrect: vault secrets read
✅ Correct: vault secrets list
❌ Incorrect: vault secrets move
Source: Vault secrets list
Multiple choice questions
Some multiple choice questions have more than one correct answer you must select. In such a case, the question explicitly states so. Read the question carefully.
Q8: What is true of Vault tokens? Choose TWO correct answers.
- Vault tokens are generated by every authentication method login
- Vault tokens are also known as unseal keys
- Vault tokens are required for every Vault call
- Vault token IDs always begin with "s."
such as s.E7rOurS2n7m2Dt5409jWxR87
- Vault tokens are the core method for authentication in Vault
✅ Correct: Vault tokens are generated by every authentication method login
❌ Incorrect: Vault tokens are also known as unseal keys
❌ Incorrect: Vault tokens are required for every Vault call
❌ Incorrect: Vault token IDs always begin with "s." such as s.E7rOurS2n7m2Dt5409jWxR87
✅ Correct: Vault tokens are the core method for authentication in Vault
Source: Vault Tokens
Q9: Which statements correctly describe the command below. Choose TWO correct answers.
vault write transit/decrypt/password \
ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
- Returns an error due to missing encryption key name
- Returns base64-encoded plaintext
- Decrypts the ciphertext if the token permits
- Returns the ciphertext
- Requires
sudo
capability on thetransit/decrypt/password
path
❌ Incorrect: Returns an error due to missing encryption key name
✅ Correct: Returns base64-encoded plaintext
✅ Correct: Decrypts the ciphertext if the token permits
❌ Incorrect: Returns the ciphertext
❌ Incorrect: Requires sudo
capability on the transit/decrypt/password
path
Source: Vault Transit Secrets Engine
Q10: Which of the following statements explains the benefit of response wrapping? Choose TWO correct answers.
- Limits the time of secret exposure by having a short-lived wrapping token
- Allow versioning of the secrets
- It protects Vault's root key (previously known as master key)
- Only the reference to the secrets is transmitted over the public network
- Limits the size of secrets to be transmitted over the network
✅ Correct: Limits the time of secret exposure by having a short-lived wrapping token
❌ Incorrect: Allow versioning of the secrets
❌ Incorrect: It protects Vault's root key (previously known as master key)
✅ Correct: Only the reference to the secrets is transmitted over the public network
❌ Incorrect: Limits the size of secrets to be transmitted over the network
Source: Vault Response Wrapping
Q11: Your organization has recently adopted Vault open source. You have been asked to enable the Vault K/V Version 2 secrets engine by two different teams. Company policy states the teams can not share the same secrets engine. What are two possible solutions?
- Enable the secrets engine at a dedicated path for each team using the
-path
parameter - Create a namespace for each of the teams and enable the secrets engine in the teams namespace
- Only one type of secrets engine can be enabled on a Vault cluster
- Deploy a second Vault cluster, one for each team
- Enable the secrets engine at the default path and create policies that limit what each team can list, read, and write
✅ Correct: Enable the secrets engine at a dedicated path for each team using the -path
parameter
❌ Incorrect: Create a namespace for each of the teams and enable the secrets engine in the teams namespace
❌ Incorrect: Only one type of secrets engine can be enabled on a Vault cluster
✅ Correct: Deploy a second Vault cluster, one for each team
❌ Incorrect: Enable the secrets engine at the default path and create policies that limit what each team can list, read, and write
Vault UI questions
Q12: You need to edit a policy, but the UI appears as shown. What is the problem?
🔘 This is an UI error. Contact support.
🔘 You don't have a permission to manage policies.
🔘 Vault UI does not support policy creation and management.
🔘 Use the command shell in UI to manage policies.
❌ Incorrect: This is an UI error. Contact support.
✅ Correct: You don't have a permission to manage policies.
❌ Incorrect: Vault UI does not support policy creation and management.
❌ Incorrect: Use the command shell in UI to manage policies.
Source: Vault Policies
Q13: Where on the page would you click to display the list of available Vault-managed encryption keys.
To answer this question: Use your mouse to click on the screenshot in the location described above. An arrow indicator will mark where you have clicked. Click the "Answer" button once you have positioned the arrow to answer the question. You may need to scroll down to see the entire screenshot.
Source: Vault Transit Secrets Engine
Note
The source of this answer is based on the API documentation. The Vault web user interface uses the same APIs you can use via your preferred programing language or CLI tools.
Vault CLI output questions
Q14: Based on the token lookup output, what type of token is it ?
Key Value
--- -----
accessor n/a
creation_time 1646698338
creation_ttl 20m
display_name token
entity_id n/a
expire_time 2022-03-07T16:32:18-08:00
explicit_max_ttl 0s
id hvb.AAAAAQJyBEVE-vTWUrg0hcoIPuvKjjNxXXZ5MfsYVg2gJ0fGZpVi0IGTFfh4TqsoQIWaocNRXD1qzGXvhIHWJBM_rWU9YJY8sXOYVy_s1JAHasXJwGmZ_fBLJfSG6aCwQkCGwtAhYw
issue_time 2022-03-07T16:12:18-08:00
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [default test]
renewable false
ttl 13m58s
type batch
🔘 root
🔘 batch
🔘 orphan
🔘 periodic
❌ Incorrect: root
✅ Correct: batch
❌ Incorrect: orphan
❌ Incorrect: periodic
Source: Vault Tokens
Q15: Based on the token lookup output, how many times can the token be used?
Key Value
--- -----
accessor GMAlk9ZNLGOCuTrOEIAooJG3
creation_time 1646691009
creation_ttl 1h
display_name token
entity_id n/a
expire_time 2022-03-07T15:10:09.115115-08:00
explicit_max_ttl 0s
id hvs.CAESIJRM-T1q5lEjIWux1Tjx-VGqAYJdd4FZtbp1wpD5Ym9pGh4KHGh2cy5TSjRndGoxaU44NzNscm5MSlRLQXZ0ZGg
issue_time 2022-03-07T14:10:09.115118-08:00
meta <nil>
num_uses 1
orphan false
path auth/token/create
policies [default]
renewable true
ttl 58m14s
type service
🔘 Until the TTL expires in 58m14s
🔘 1 time
🔘 The token has expired because max TTL is already at 0s
🔘 This token does not expire because the default
policy is attached
❌ Incorrect: Until the TTL expires in 58m14s
✅ Correct: 1 time
❌ Incorrect: The token has expired because max TTL is already at 0s
❌ Incorrect: This token does not expire because the default
policy is attached
Source: Vault Tokens
Continue studying
To study all of the objectives tested on the exam, review the materials in our learning path. For a reference of the specific study materials that cover a particular exam objective, refer to the content list.