You have already completed the Test before. Hence you can not start it again.
Test is loading...
You must sign in or sign up to start the Test.
You have to finish following quiz, to start this Test:
Your results are here!! for" HashiCorp Certified Vault Associate Practice Test 2 "
0 of 41 questions answered correctly
Your time:
Time has elapsed
Your Final Score is : 0
You have attempted : 0
Number of Correct Questions : 0 and scored 0
Number of Incorrect Questions : 0 and Negative marks 0
Average score
Your score
HashiCorp Certified Vault Associate
You have attempted: 0
Number of Correct Questions: 0 and scored 0
Number of Incorrect Questions: 0 and Negative marks 0
You can review your answers by clicking view questions. Important Note : Open Reference Documentation Links in New Tab (Right Click and Open in New Tab).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Answered
Review
Question 1 of 41
1. Question
True or False? After the lease has expired for a dynamic secret, Vault revokes the credentials on the backend platform for which they were created (i.e., database, AWS, Consul)
Correct
When a lease expires, Vault does indeed revoke the credentials on the platform for which they were created. This not only invalidates the credentials being used, but it also eliminates technical debt on the backend platform. https://www.vaultproject.io/docs/concepts/lease
Incorrect
When a lease expires, Vault does indeed revoke the credentials on the platform for which they were created. This not only invalidates the credentials being used, but it also eliminates technical debt on the backend platform. https://www.vaultproject.io/docs/concepts/lease
Unattempted
When a lease expires, Vault does indeed revoke the credentials on the platform for which they were created. This not only invalidates the credentials being used, but it also eliminates technical debt on the backend platform. https://www.vaultproject.io/docs/concepts/lease
Question 2 of 41
2. Question
Industrial Robot Corp is running applications active/active in multiple data centers for high availability. Vault has been selected as the secrets management tool for tight integration with its applications. What Vault feature should be used in the secondary data center to ensure applications have local access to secrets?
Correct
Performance replication clusters should be used in an active/active scenario to ensure applications in both data centers can easily access Vault secrets. This provides local access while providing high availability for both the applications and Vault itself.
 – DR clusters won’t respond to clients – useful for active/passive scenarios
 – performance standby nodes are used to scale out a single Vault cluster, not across multiple data centers
 – federated Consul clusters should NEVER be used as a backend for Vault. Please don’t do this if you value your time. https://www.vaultproject.io/docs/enterprise/replication#performance-replication-and-disaster-recovery-dr-replication
Incorrect
Performance replication clusters should be used in an active/active scenario to ensure applications in both data centers can easily access Vault secrets. This provides local access while providing high availability for both the applications and Vault itself.
 – DR clusters won’t respond to clients – useful for active/passive scenarios
 – performance standby nodes are used to scale out a single Vault cluster, not across multiple data centers
 – federated Consul clusters should NEVER be used as a backend for Vault. Please don’t do this if you value your time. https://www.vaultproject.io/docs/enterprise/replication#performance-replication-and-disaster-recovery-dr-replication
Unattempted
Performance replication clusters should be used in an active/active scenario to ensure applications in both data centers can easily access Vault secrets. This provides local access while providing high availability for both the applications and Vault itself.
 – DR clusters won’t respond to clients – useful for active/passive scenarios
 – performance standby nodes are used to scale out a single Vault cluster, not across multiple data centers
 – federated Consul clusters should NEVER be used as a backend for Vault. Please don’t do this if you value your time. https://www.vaultproject.io/docs/enterprise/replication#performance-replication-and-disaster-recovery-dr-replication
Question 3 of 41
3. Question
Which of the following secrets engines can store static secrets in Vault for future retrieval?
Correct
Beyond Cubbyhole, the KV secrets engine is the ONLY secrets engine that will store static data in Vault for future retrieval. All other secrets engines either generate or encrypt data. https://www.vaultproject.io/docs/secrets#secrets-engines
Incorrect
Beyond Cubbyhole, the KV secrets engine is the ONLY secrets engine that will store static data in Vault for future retrieval. All other secrets engines either generate or encrypt data. https://www.vaultproject.io/docs/secrets#secrets-engines
Unattempted
Beyond Cubbyhole, the KV secrets engine is the ONLY secrets engine that will store static data in Vault for future retrieval. All other secrets engines either generate or encrypt data. https://www.vaultproject.io/docs/secrets#secrets-engines
Question 4 of 41
4. Question
What command can be used to update a Vault policy named web-app-1 using the command line?
Correct
This one is tricky and the policy command trips me up sometimes. For one, there is no update command, only write. So when you need to update a Vault policy, you just write it again using the same name as the policy that already exists. Personally, I mix this up with create all the time but create is NOT a valid command. https://www.vaultproject.io/docs/commands/policy/write
Incorrect
This one is tricky and the policy command trips me up sometimes. For one, there is no update command, only write. So when you need to update a Vault policy, you just write it again using the same name as the policy that already exists. Personally, I mix this up with create all the time but create is NOT a valid command. https://www.vaultproject.io/docs/commands/policy/write
Unattempted
This one is tricky and the policy command trips me up sometimes. For one, there is no update command, only write. So when you need to update a Vault policy, you just write it again using the same name as the policy that already exists. Personally, I mix this up with create all the time but create is NOT a valid command. https://www.vaultproject.io/docs/commands/policy/write
Question 5 of 41
5. Question
You need to decrypt customer data to provide it to an application. When you run the decryption command, you get the output below. Why does the response not directly review the cleartext data?
$ vault write transit/decrypt/phone_number \
ciphertext=”vault:v1:tgx2vsxtlQRfyLSKvem…”
Key Value
— —–
plaintext aGFzaGljb3JwIGNlcnRpZmllZDogdmF1bHQgYXNzb2NpYXRl
Correct
All plaintext data must be base64-encoded before being encrypted by Vault. As a result, decrypted data is always base64 encoded. You can decode the output to reveal the original cleartext data. https://www.vaultproject.io/docs/secrets/transit#usage
Incorrect
All plaintext data must be base64-encoded before being encrypted by Vault. As a result, decrypted data is always base64 encoded. You can decode the output to reveal the original cleartext data. https://www.vaultproject.io/docs/secrets/transit#usage
Unattempted
All plaintext data must be base64-encoded before being encrypted by Vault. As a result, decrypted data is always base64 encoded. You can decode the output to reveal the original cleartext data. https://www.vaultproject.io/docs/secrets/transit#usage
Question 6 of 41
6. Question
Ryan is running Vault in dev mode on his laptop to test a few secrets engines. Based on the screenshot below, how many secrets engines have been enabled on this Vault instance?
Correct
Ryan has enabled two secrets engines, AWS and database. In any Vault instance, Cubbyhole is a default secrets engine that is enabled by default. In addition, since Ryan is running in dev mode, the secret/ KV v2 secrets engine is enabled by default. Therefore, there are two secrets engines enabled by default, two secrets engines that Ryan enabled.
Hint: If you’re not running dev mode, Vault no longer enables a default KV secrets engine like it used to. https://www.vaultproject.io/docs/secrets/cubbyhole https://www.vaultproject.io/docs/concepts/dev-server#properties
Incorrect
Ryan has enabled two secrets engines, AWS and database. In any Vault instance, Cubbyhole is a default secrets engine that is enabled by default. In addition, since Ryan is running in dev mode, the secret/ KV v2 secrets engine is enabled by default. Therefore, there are two secrets engines enabled by default, two secrets engines that Ryan enabled.
Hint: If you’re not running dev mode, Vault no longer enables a default KV secrets engine like it used to. https://www.vaultproject.io/docs/secrets/cubbyhole https://www.vaultproject.io/docs/concepts/dev-server#properties
Unattempted
Ryan has enabled two secrets engines, AWS and database. In any Vault instance, Cubbyhole is a default secrets engine that is enabled by default. In addition, since Ryan is running in dev mode, the secret/ KV v2 secrets engine is enabled by default. Therefore, there are two secrets engines enabled by default, two secrets engines that Ryan enabled.
Hint: If you’re not running dev mode, Vault no longer enables a default KV secrets engine like it used to. https://www.vaultproject.io/docs/secrets/cubbyhole https://www.vaultproject.io/docs/concepts/dev-server#properties
Question 7 of 41
7. Question
True or False? Although AppRole is designed for machines, humans can use it to authenticate to Vault if you wish.
Correct
Yeah, absolutely. Although it’s not super friendly for us humans to remember the values or a ROLE_ID or SECRET_ID, you could use it if you wanted to. https://www.vaultproject.io/docs/auth/approle
Incorrect
Yeah, absolutely. Although it’s not super friendly for us humans to remember the values or a ROLE_ID or SECRET_ID, you could use it if you wanted to. https://www.vaultproject.io/docs/auth/approle
Unattempted
Yeah, absolutely. Although it’s not super friendly for us humans to remember the values or a ROLE_ID or SECRET_ID, you could use it if you wanted to. https://www.vaultproject.io/docs/auth/approle
Question 8 of 41
8. Question
True or False? The root and default policies can be deleted if they are not needed or being used.
Correct
The default and root policy cannot be deleted. You don’t have to use them, but you can’t delete them. For the default policy, you can instruct Vault to not assign new tokens the default policy by tuning the Vault configuration by issuing the following command:
$Â vault token create -no-default-policy https://www.vaultproject.io/docs/concepts/policies#built-in-policies
Incorrect
The default and root policy cannot be deleted. You don’t have to use them, but you can’t delete them. For the default policy, you can instruct Vault to not assign new tokens the default policy by tuning the Vault configuration by issuing the following command:
$Â vault token create -no-default-policy https://www.vaultproject.io/docs/concepts/policies#built-in-policies
Unattempted
The default and root policy cannot be deleted. You don’t have to use them, but you can’t delete them. For the default policy, you can instruct Vault to not assign new tokens the default policy by tuning the Vault configuration by issuing the following command:
$Â vault token create -no-default-policy https://www.vaultproject.io/docs/concepts/policies#built-in-policies
Question 9 of 41
9. Question
Based on the output below, how many policies have been added to Vault?
$ vault policy list
base
default
root
web-app-1
automation-team
Correct
Vault has two default policies, root and default:
  ? root policy is created by default – it is a superuser with all permissions
  ? default policy is created by default – common permissions
This means that the base, web-app-1, and automation-team policies have been added to Vault. https://www.vaultproject.io/docs/concepts/policies#built-in-policies
Incorrect
Vault has two default policies, root and default:
  ? root policy is created by default – it is a superuser with all permissions
  ? default policy is created by default – common permissions
This means that the base, web-app-1, and automation-team policies have been added to Vault. https://www.vaultproject.io/docs/concepts/policies#built-in-policies
Unattempted
Vault has two default policies, root and default:
  ? root policy is created by default – it is a superuser with all permissions
  ? default policy is created by default – common permissions
This means that the base, web-app-1, and automation-team policies have been added to Vault. https://www.vaultproject.io/docs/concepts/policies#built-in-policies
Question 10 of 41
10. Question
You are enabling a secrets engine in Vault using the CLI. What subcommands are available when using the vault secrets command? (select five)
Correct
The vault secrets command has several subcommands to use when working with secrets engines, including:
 – disable – Disable a secrets engine
 – enable – Enable a secrets engine
 – list – List enabled secrets engines
 – move – Move a secrets engine to a new path
 – tune – Tune a secrets engine configuration https://www.vaultproject.io/docs/commands/secrets#usage
Incorrect
The vault secrets command has several subcommands to use when working with secrets engines, including:
 – disable – Disable a secrets engine
 – enable – Enable a secrets engine
 – list – List enabled secrets engines
 – move – Move a secrets engine to a new path
 – tune – Tune a secrets engine configuration https://www.vaultproject.io/docs/commands/secrets#usage
Unattempted
The vault secrets command has several subcommands to use when working with secrets engines, including:
 – disable – Disable a secrets engine
 – enable – Enable a secrets engine
 – list – List enabled secrets engines
 – move – Move a secrets engine to a new path
 – tune – Tune a secrets engine configuration https://www.vaultproject.io/docs/commands/secrets#usage
Question 11 of 41
11. Question
You have ciphertext stored in an Amazon S3 bucket that contains customer data encrypted by the key named prod-customer.
vault:v4:Xa1f9FIJtn13em/Wb7QCsXsU/kCOn7…
When you look up the properties of the key, the following output is shown:
$ vault read transit/keys/prod-customer
Key Value
— —–
…
keys map[4:1549347108 5:1549347109 6:1549347110]
latest_version 6
min_available_version 0
min_decryption_version 4
min_encryption_version 0
Will Vault decrypt this data for you by running the following command?
Correct
Vault maintains the versioned keyring and Vault operators can decide the minimum key version allowed for decryption operations. As long as the version of the key is still in Vault, the data can be decrypted. If the min_decryption_version was set to 5 or 6, you would NOT be able to decrypt the data. https://www.vaultproject.io/docs/secrets/transit#usage
Incorrect
Vault maintains the versioned keyring and Vault operators can decide the minimum key version allowed for decryption operations. As long as the version of the key is still in Vault, the data can be decrypted. If the min_decryption_version was set to 5 or 6, you would NOT be able to decrypt the data. https://www.vaultproject.io/docs/secrets/transit#usage
Unattempted
Vault maintains the versioned keyring and Vault operators can decide the minimum key version allowed for decryption operations. As long as the version of the key is still in Vault, the data can be decrypted. If the min_decryption_version was set to 5 or 6, you would NOT be able to decrypt the data. https://www.vaultproject.io/docs/secrets/transit#usage
Question 12 of 41
12. Question
Complete the sentence: Unsealing Vault is the process of ___________________________.
Correct
Unsealing is the process of obtaining the plaintext master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
Decrypting the Vault data is a result of unsealing Vault, but the process of unsealing Vault does not directly decrypt the Vault data. https://www.vaultproject.io/docs/concepts/seal#seal-unseal
Incorrect
Unsealing is the process of obtaining the plaintext master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
Decrypting the Vault data is a result of unsealing Vault, but the process of unsealing Vault does not directly decrypt the Vault data. https://www.vaultproject.io/docs/concepts/seal#seal-unseal
Unattempted
Unsealing is the process of obtaining the plaintext master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
Decrypting the Vault data is a result of unsealing Vault, but the process of unsealing Vault does not directly decrypt the Vault data. https://www.vaultproject.io/docs/concepts/seal#seal-unseal
Question 13 of 41
13. Question
True or False? The following policy permits a user to read secrets contained in the path secrets/cloud/apps/jenkins?
path “secrets/cloud/apps/jenkins/* {
capabilities = [“create”, “read”, “update”, “delete”, “list”]
}
Correct
This policy will NOT permit access to secrets stored under secrets/cloud/apps/jenkins. Notice that in the policy, the wildcard (*) is AFTER the path Jenkins, and not AT the Jenkins path. This policy would permit access to anything AFTER the Jenkins path, but not ON the Jenkins path. To access secrets on the Jenkins path, you’d need to add secrets/cloud/apps/jenkins or even something like secrets/cloud/apps/* to the policy.
(Sneaky, I know. But you need to understand where the permissions start and stop based on the defined path in the policy) https://www.vaultproject.io/docs/concepts/policies
Incorrect
This policy will NOT permit access to secrets stored under secrets/cloud/apps/jenkins. Notice that in the policy, the wildcard (*) is AFTER the path Jenkins, and not AT the Jenkins path. This policy would permit access to anything AFTER the Jenkins path, but not ON the Jenkins path. To access secrets on the Jenkins path, you’d need to add secrets/cloud/apps/jenkins or even something like secrets/cloud/apps/* to the policy.
(Sneaky, I know. But you need to understand where the permissions start and stop based on the defined path in the policy) https://www.vaultproject.io/docs/concepts/policies
Unattempted
This policy will NOT permit access to secrets stored under secrets/cloud/apps/jenkins. Notice that in the policy, the wildcard (*) is AFTER the path Jenkins, and not AT the Jenkins path. This policy would permit access to anything AFTER the Jenkins path, but not ON the Jenkins path. To access secrets on the Jenkins path, you’d need to add secrets/cloud/apps/jenkins or even something like secrets/cloud/apps/* to the policy.
(Sneaky, I know. But you need to understand where the permissions start and stop based on the defined path in the policy) https://www.vaultproject.io/docs/concepts/policies
Question 14 of 41
14. Question
Select the (two) paths below that would be permitted for read access based upon the following Vault policy:
path “secret/+/training/*” {
capabilities = [“create”, “read”]
}
Correct
secret/departments/certification/api is not permitted since certification does not equal training as part of the path
secret/business/training is not permitted since the wildcard is AFTER training, and not ON the training path (tricky)
secret/departments/training/vault is permitted since the + allows for any value where departments is part of the path, and vault is in place of where the * is placed in the path
secret/cloud/training/test/exam is permitted since + allows for cloud and * allows for test/exam as part of the path https://www.vaultproject.io/docs/concepts/policies#policy-syntax
Incorrect
secret/departments/certification/api is not permitted since certification does not equal training as part of the path
secret/business/training is not permitted since the wildcard is AFTER training, and not ON the training path (tricky)
secret/departments/training/vault is permitted since the + allows for any value where departments is part of the path, and vault is in place of where the * is placed in the path
secret/cloud/training/test/exam is permitted since + allows for cloud and * allows for test/exam as part of the path https://www.vaultproject.io/docs/concepts/policies#policy-syntax
Unattempted
secret/departments/certification/api is not permitted since certification does not equal training as part of the path
secret/business/training is not permitted since the wildcard is AFTER training, and not ON the training path (tricky)
secret/departments/training/vault is permitted since the + allows for any value where departments is part of the path, and vault is in place of where the * is placed in the path
secret/cloud/training/test/exam is permitted since + allows for cloud and * allows for test/exam as part of the path https://www.vaultproject.io/docs/concepts/policies#policy-syntax
Question 15 of 41
15. Question
Assuming defaults, what is the default TTL for tokens in Vault if one is not specified?
Correct
When no specific TTL is provided, a generated token will inherit the default TTL which is 2764800 seconds (32 days). The same for the maximum TTL. This can be changed by executing the following command, if needed:
vault write sys/mounts/auth/token/tune default_lease_ttl=1h max_lease_ttl=24h
Incorrect
When no specific TTL is provided, a generated token will inherit the default TTL which is 2764800 seconds (32 days). The same for the maximum TTL. This can be changed by executing the following command, if needed:
vault write sys/mounts/auth/token/tune default_lease_ttl=1h max_lease_ttl=24h
Unattempted
When no specific TTL is provided, a generated token will inherit the default TTL which is 2764800 seconds (32 days). The same for the maximum TTL. This can be changed by executing the following command, if needed:
vault write sys/mounts/auth/token/tune default_lease_ttl=1h max_lease_ttl=24h
Question 16 of 41
16. Question
Jarrad is an AWS engineer and has provisioned a new EC2 instance running MySQL since his application requires a specific MySQL version. He wants to integrate Vault into his workflow but is new to Vault. What secrets engine should Jarrad use to integrate this new database running in AWS?
Correct
To manage the database resource, the database secrets engine should be used, specifically with the MySQL plugin. In this scenario, the key is that the backend platform that needs to be managed is a database; where it’s hosted is *mostly* irrelevant. I say mostly because the database secrets engine supports many types of databases, and MySQL running in RDS handles credentials slightly different than a MySQL database running on an EC2 instance. https://www.vaultproject.io/docs/secrets/databases/mysql-maria
Incorrect
To manage the database resource, the database secrets engine should be used, specifically with the MySQL plugin. In this scenario, the key is that the backend platform that needs to be managed is a database; where it’s hosted is *mostly* irrelevant. I say mostly because the database secrets engine supports many types of databases, and MySQL running in RDS handles credentials slightly different than a MySQL database running on an EC2 instance. https://www.vaultproject.io/docs/secrets/databases/mysql-maria
Unattempted
To manage the database resource, the database secrets engine should be used, specifically with the MySQL plugin. In this scenario, the key is that the backend platform that needs to be managed is a database; where it’s hosted is *mostly* irrelevant. I say mostly because the database secrets engine supports many types of databases, and MySQL running in RDS handles credentials slightly different than a MySQL database running on an EC2 instance. https://www.vaultproject.io/docs/secrets/databases/mysql-maria
Question 17 of 41
17. Question
Frank has secrets. Fortunately, he wants to store those secrets in Vault so other people may use them where needed. What CLI command can Frank use to store a username and password in a KV v2 secrets engine path at cloud/apps/terraform?
Correct
Although this is a KV v2 secrets engine, the CLI command does not require the data prefix as the API does. Therefore, the correct command is vault kv put cloud/apps/terraform username=password. Any interaction with KV secrets should begin with vault kv https://www.vaultproject.io/docs/secrets/kv/kv-v2
Incorrect
Although this is a KV v2 secrets engine, the CLI command does not require the data prefix as the API does. Therefore, the correct command is vault kv put cloud/apps/terraform username=password. Any interaction with KV secrets should begin with vault kv https://www.vaultproject.io/docs/secrets/kv/kv-v2
Unattempted
Although this is a KV v2 secrets engine, the CLI command does not require the data prefix as the API does. Therefore, the correct command is vault kv put cloud/apps/terraform username=password. Any interaction with KV secrets should begin with vault kv https://www.vaultproject.io/docs/secrets/kv/kv-v2
Question 18 of 41
18. Question
You need to create a limited-privileged token that isn’t impacted by the TTL of its parent. What type of token should you create?
Which of the following actions can be performed if you only had access to a token’s accessor? (select four)
Correct
When tokens are created, a token accessor is also created and returned. This accessor is a value that acts as a reference to a token and can only be used to perform limited actions:
 – Look up a token’s properties (not including the actual token ID)
 – Look up a token’s capabilities on a path
 – Renew the token
 – Revoke the token
The token making the call, not the token associated with the accessor, must have appropriate permissions for these functions. https://www.vaultproject.io/docs/concepts/tokens#token-accessors
Incorrect
When tokens are created, a token accessor is also created and returned. This accessor is a value that acts as a reference to a token and can only be used to perform limited actions:
 – Look up a token’s properties (not including the actual token ID)
 – Look up a token’s capabilities on a path
 – Renew the token
 – Revoke the token
The token making the call, not the token associated with the accessor, must have appropriate permissions for these functions. https://www.vaultproject.io/docs/concepts/tokens#token-accessors
Unattempted
When tokens are created, a token accessor is also created and returned. This accessor is a value that acts as a reference to a token and can only be used to perform limited actions:
 – Look up a token’s properties (not including the actual token ID)
 – Look up a token’s capabilities on a path
 – Renew the token
 – Revoke the token
The token making the call, not the token associated with the accessor, must have appropriate permissions for these functions. https://www.vaultproject.io/docs/concepts/tokens#token-accessors
Question 20 of 41
20. Question
Hanna is working with Vault and has been assigned a namespace called integration, which is where she stores all of her secrets. Hanna instructs her application to use the following API request, but the request is failing. What changes below will help Hanna properly retrieve the secret?
Correct
To invoke an API on a specific namespace, you can pass the target namespace in the X-Vault-Namespace header or make the namespace as a part of the API endpoint. https://www.vaultproject.io/docs/enterprise/namespaces
Incorrect
To invoke an API on a specific namespace, you can pass the target namespace in the X-Vault-Namespace header or make the namespace as a part of the API endpoint. https://www.vaultproject.io/docs/enterprise/namespaces
Unattempted
To invoke an API on a specific namespace, you can pass the target namespace in the X-Vault-Namespace header or make the namespace as a part of the API endpoint. https://www.vaultproject.io/docs/enterprise/namespaces
Question 21 of 41
21. Question
Julie is a developer who needs to ensure an application can properly renew its lease for AWS credentials it uses to access data in an S3 bucket. Although the application would generally use the API, what is the equivalent CLI command to perform this action?
Correct
The proper command would be vault lease renew aws/creds/s3-read-only/39e6b9a2-296-83d9-2fe0-c11e846bdc99. If you wanted to change the specific increment for the new lease, you could use the -increment flag in the command as well. https://www.vaultproject.io/docs/commands/lease/renew
Incorrect
The proper command would be vault lease renew aws/creds/s3-read-only/39e6b9a2-296-83d9-2fe0-c11e846bdc99. If you wanted to change the specific increment for the new lease, you could use the -increment flag in the command as well. https://www.vaultproject.io/docs/commands/lease/renew
Unattempted
The proper command would be vault lease renew aws/creds/s3-read-only/39e6b9a2-296-83d9-2fe0-c11e846bdc99. If you wanted to change the specific increment for the new lease, you could use the -increment flag in the command as well. https://www.vaultproject.io/docs/commands/lease/renew
Question 22 of 41
22. Question
In Vault, there are two main types of tokens, batch and service. Which of the following is true about the renewable capabilities of each?
Which of the following storage backends support high availability? (select four)
Correct
Different storage backends support different features, such as high availability or being supported by HashiCorp technical support. You can find the list of backends here and view supporting information for each. https://www.vaultproject.io/docs/configuration/storage
Incorrect
Different storage backends support different features, such as high availability or being supported by HashiCorp technical support. You can find the list of backends here and view supporting information for each. https://www.vaultproject.io/docs/configuration/storage
Unattempted
Different storage backends support different features, such as high availability or being supported by HashiCorp technical support. You can find the list of backends here and view supporting information for each. https://www.vaultproject.io/docs/configuration/storage
Question 25 of 41
25. Question
You have TBs of data encrypted by Vault stored in a database and are worried about Vault becoming unavailable and not being able to decrypt the data. Is it possible to export the encryption key to store it somewhere else in the event Vault becomes unavailable?
Correct
When creating the key, the exportable flag must be set as true. By default, it is false. This enables the keys to be exportable. This allows for all the valid keys in the keyring to be exported. Once set, this cannot be disabled.
This is not best practice, so please be careful if you decide to export the key. https://www.vaultproject.io/api-docs/secret/transit#exportable
Incorrect
When creating the key, the exportable flag must be set as true. By default, it is false. This enables the keys to be exportable. This allows for all the valid keys in the keyring to be exported. Once set, this cannot be disabled.
This is not best practice, so please be careful if you decide to export the key. https://www.vaultproject.io/api-docs/secret/transit#exportable
Unattempted
When creating the key, the exportable flag must be set as true. By default, it is false. This enables the keys to be exportable. This allows for all the valid keys in the keyring to be exported. Once set, this cannot be disabled.
This is not best practice, so please be careful if you decide to export the key. https://www.vaultproject.io/api-docs/secret/transit#exportable
Question 26 of 41
26. Question
True or False? You can create and update Vault policies using the UI.
Correct
You can indeed create and update Vault policies within the UI. See below:
Incorrect
You can indeed create and update Vault policies within the UI. See below:
Unattempted
You can indeed create and update Vault policies within the UI. See below:
Question 27 of 41
27. Question
Elijah manages a legacy application that requires strict control over when its service accounts credentials change. Which type of credential should be used for this legacy application?
Correct
Static credentials should be used here so they can be controlled outside of Vault. However, these static credentials should still be stored within Vault using the KVÂ secrets engine so they are not stored somewhere in plaintext. https://learn.hashicorp.com/tutorials/vault/static-secrets
Incorrect
Static credentials should be used here so they can be controlled outside of Vault. However, these static credentials should still be stored within Vault using the KVÂ secrets engine so they are not stored somewhere in plaintext. https://learn.hashicorp.com/tutorials/vault/static-secrets
Unattempted
Static credentials should be used here so they can be controlled outside of Vault. However, these static credentials should still be stored within Vault using the KVÂ secrets engine so they are not stored somewhere in plaintext. https://learn.hashicorp.com/tutorials/vault/static-secrets
Question 28 of 41
28. Question
Which of the following are valid types of tokens available in Vault? (select five)
Correct
Service token is the general token that most people talk about when referring to a token in Vault.
Batch token is an encrypted binary large object (blobs) that carries just enough information for authentication.
Periodic service tokens have a TTL, but no max TTL.
Orphan tokens are not children of their parent; therefore, do not expire when their parent does.
********************************************************************
Policy and primary tokens are NOT valid token types in Vault. https://www.vaultproject.io/docs/concepts/tokens
Incorrect
Service token is the general token that most people talk about when referring to a token in Vault.
Batch token is an encrypted binary large object (blobs) that carries just enough information for authentication.
Periodic service tokens have a TTL, but no max TTL.
Orphan tokens are not children of their parent; therefore, do not expire when their parent does.
********************************************************************
Policy and primary tokens are NOT valid token types in Vault. https://www.vaultproject.io/docs/concepts/tokens
Unattempted
Service token is the general token that most people talk about when referring to a token in Vault.
Batch token is an encrypted binary large object (blobs) that carries just enough information for authentication.
Periodic service tokens have a TTL, but no max TTL.
Orphan tokens are not children of their parent; therefore, do not expire when their parent does.
********************************************************************
Policy and primary tokens are NOT valid token types in Vault. https://www.vaultproject.io/docs/concepts/tokens
Question 29 of 41
29. Question
Thomas has authenticated to Vault using the API and has received the following response. What data must Thomas parse from the response in order to continue making requests to Vault?
{
“request_id”: “65897160-fd8b-1f87-c24e-fdba14c9728e”,
“lease_id”: “”,
“renewable”: false,
“lease_duration”: 0,
“data”: null,
“wrap_info”: null,
“warnings”: null,
“auth”: {
“client_token”: “s.lzrmRe5Y3LMcDRmOttEjWoag”,
“accessor”: “EMX0nv4nr0Y1wXoaN7i0WDW1”,
“policies”: [
“bryan”,
“default”
],
“token_policies”: [
“bryan”,
“default”
],
“metadata”: {
“username”: “bryan”
},
“lease_duration”: 2764800,
“renewable”: true,
“entity_id”: “40e203e8-818e-b6ad-4cb3-0befdbf9b598”,
“token_type”: “service”,
“orphan”: true
}
}
Correct
When you authenticate to Vault using the API, the response will include the client_token, which is required for subsequent responses. To parse this, you can format the output in JSON (like I have above) and parse the response using something like jq to retrieve the token at .auth.client_token https://www.vaultproject.io/api/auth/userpass#login
Incorrect
When you authenticate to Vault using the API, the response will include the client_token, which is required for subsequent responses. To parse this, you can format the output in JSON (like I have above) and parse the response using something like jq to retrieve the token at .auth.client_token https://www.vaultproject.io/api/auth/userpass#login
Unattempted
When you authenticate to Vault using the API, the response will include the client_token, which is required for subsequent responses. To parse this, you can format the output in JSON (like I have above) and parse the response using something like jq to retrieve the token at .auth.client_token https://www.vaultproject.io/api/auth/userpass#login
Question 30 of 41
30. Question
True or False? To encrypt existing encrypted data with the latest version of the encryption key, you need to first decrypt it and then request Vault to re-encrypt it with the latest version of the encryption key.
Correct
False. You can use the rewrap feature of the transit secrets engine to rewrap the data with the latest version of the key. This process does not reveal the plaintext data. https://www.vaultproject.io/docs/secrets/transit
Incorrect
False. You can use the rewrap feature of the transit secrets engine to rewrap the data with the latest version of the key. This process does not reveal the plaintext data. https://www.vaultproject.io/docs/secrets/transit
Unattempted
False. You can use the rewrap feature of the transit secrets engine to rewrap the data with the latest version of the key. This process does not reveal the plaintext data. https://www.vaultproject.io/docs/secrets/transit
Question 31 of 41
31. Question
What Vault feature can be used to locally cache secrets for an application and reduce the number of requests sent to Vault?
Correct
Vault Agent Caching allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens. The renewals of the cached tokens and leases are also managed by the agent. https://www.vaultproject.io/docs/agent/caching
Incorrect
Vault Agent Caching allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens. The renewals of the cached tokens and leases are also managed by the agent. https://www.vaultproject.io/docs/agent/caching
Unattempted
Vault Agent Caching allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens. The renewals of the cached tokens and leases are also managed by the agent. https://www.vaultproject.io/docs/agent/caching
Question 32 of 41
32. Question
Vault operators can create two types of groups in Vault. What are the two types?
Correct
Internal and external groups can be created in Vault. Internal groups are created in the identity store and map to other groups or entities. Internal groups are created manually as needed. External groups are usually associated with an auth method, such as LDAP or OIDC. They can be created automatically as a result of mapping LDAP groups to policies, or they can be created manually, such as if you’re using OIDC for authentication. https://www.vaultproject.io/docs/secrets/identity#external-vs-internal-groups
Incorrect
Internal and external groups can be created in Vault. Internal groups are created in the identity store and map to other groups or entities. Internal groups are created manually as needed. External groups are usually associated with an auth method, such as LDAP or OIDC. They can be created automatically as a result of mapping LDAP groups to policies, or they can be created manually, such as if you’re using OIDC for authentication. https://www.vaultproject.io/docs/secrets/identity#external-vs-internal-groups
Unattempted
Internal and external groups can be created in Vault. Internal groups are created in the identity store and map to other groups or entities. Internal groups are created manually as needed. External groups are usually associated with an auth method, such as LDAP or OIDC. They can be created automatically as a result of mapping LDAP groups to policies, or they can be created manually, such as if you’re using OIDC for authentication. https://www.vaultproject.io/docs/secrets/identity#external-vs-internal-groups
Question 33 of 41
33. Question
Which of the following features in Vault will replicate service tokens between clusters?
Correct
Vault supports two different types of replication, performance and disaster recovery (DR). Performance clusters create and maintain their own tokens. These tokens are NOTÂ replicated to other clusters. DRÂ clusters are essentially a warm-standby and do replicate tokens from the primary cluster. https://www.vaultproject.io/docs/enterprise/replication
Incorrect
Vault supports two different types of replication, performance and disaster recovery (DR). Performance clusters create and maintain their own tokens. These tokens are NOTÂ replicated to other clusters. DRÂ clusters are essentially a warm-standby and do replicate tokens from the primary cluster. https://www.vaultproject.io/docs/enterprise/replication
Unattempted
Vault supports two different types of replication, performance and disaster recovery (DR). Performance clusters create and maintain their own tokens. These tokens are NOTÂ replicated to other clusters. DRÂ clusters are essentially a warm-standby and do replicate tokens from the primary cluster. https://www.vaultproject.io/docs/enterprise/replication
Question 34 of 41
34. Question
What is the default value of the VAULT_ADDR environment variable?
Correct
Vault assumes the value of https://127.0.0.1:8200 when you make requests to Vault. If the URL is not correct, you must change it by using the command export VAULT_ADDR=”http://vault.example.com” (linux) or set VAULT_ADDR=http://vault.example.com (windows). Note that Windows does not use quotes around the URL. https://www.vaultproject.io/docs/commands#vault_addr
Incorrect
Vault assumes the value of https://127.0.0.1:8200 when you make requests to Vault. If the URL is not correct, you must change it by using the command export VAULT_ADDR=”http://vault.example.com” (linux) or set VAULT_ADDR=http://vault.example.com (windows). Note that Windows does not use quotes around the URL. https://www.vaultproject.io/docs/commands#vault_addr
Unattempted
Vault assumes the value of https://127.0.0.1:8200 when you make requests to Vault. If the URL is not correct, you must change it by using the command export VAULT_ADDR=”http://vault.example.com” (linux) or set VAULT_ADDR=http://vault.example.com (windows). Note that Windows does not use quotes around the URL. https://www.vaultproject.io/docs/commands#vault_addr
Question 35 of 41
35. Question
True or False? Once you authenticate to Vault using the API, subsequent requests will automatically be permitted without further interaction.
Correct
When authenticating to Vault using the API, Vault will return a token. It is up to the operator or automation to extract the token from the response and submit it as part of subsequent requests. For example, check out the response in this example on HashiCorp’s website. Notice that the response includes the client_token under the .auth.client_token key. This value must be extracted (like using a JSON parsing tool like jq) in order to include the value as the X-VAULT-TOKEN for subsequent requests like in these examples.
This is applicable to any auth method, although I’m highlighting AppRole in this example. https://www.vaultproject.io/docs/auth/approle
Incorrect
When authenticating to Vault using the API, Vault will return a token. It is up to the operator or automation to extract the token from the response and submit it as part of subsequent requests. For example, check out the response in this example on HashiCorp’s website. Notice that the response includes the client_token under the .auth.client_token key. This value must be extracted (like using a JSON parsing tool like jq) in order to include the value as the X-VAULT-TOKEN for subsequent requests like in these examples.
This is applicable to any auth method, although I’m highlighting AppRole in this example. https://www.vaultproject.io/docs/auth/approle
Unattempted
When authenticating to Vault using the API, Vault will return a token. It is up to the operator or automation to extract the token from the response and submit it as part of subsequent requests. For example, check out the response in this example on HashiCorp’s website. Notice that the response includes the client_token under the .auth.client_token key. This value must be extracted (like using a JSON parsing tool like jq) in order to include the value as the X-VAULT-TOKEN for subsequent requests like in these examples.
This is applicable to any auth method, although I’m highlighting AppRole in this example. https://www.vaultproject.io/docs/auth/approle
Question 36 of 41
36. Question
Big City Tool Corporation has many applications that require heavy read access to Vault. As more and more of these applications are integrated with Vault, the performance of the primary Vault cluster continues to be negatively impacted. What feature can Big City Tool Corp use to scale out the cluster and improve performance?
Correct
Vault Enterprise offers additional features that allow HA nodes to service read-only requests on the local standby node. Read-only requests are requests that do not modify Vault’s storage. This feature is called Performance Standby nodes. https://www.vaultproject.io/docs/enterprise/performance-standby
Incorrect
Vault Enterprise offers additional features that allow HA nodes to service read-only requests on the local standby node. Read-only requests are requests that do not modify Vault’s storage. This feature is called Performance Standby nodes. https://www.vaultproject.io/docs/enterprise/performance-standby
Unattempted
Vault Enterprise offers additional features that allow HA nodes to service read-only requests on the local standby node. Read-only requests are requests that do not modify Vault’s storage. This feature is called Performance Standby nodes. https://www.vaultproject.io/docs/enterprise/performance-standby
Question 37 of 41
37. Question
True or False? A token can be renewed up until the max TTL, even if the TTL has been reached.
Suzy is a Vault user that needs to create and replace values at the path secrets/automation/apps/chef. Does the following policy permit her to the permissions to do so?
path “secrets/automation/apps/chef” {
capabilities = [“create”, “read”, “list”]
}
Correct
If Suzy needs to create AND replace values (update), she needs both “create” and “update” capabilities. Create to initially create new KV pairs, and then update to update the values of those KV pairs. https://www.vaultproject.io/docs/concepts/policies
Incorrect
If Suzy needs to create AND replace values (update), she needs both “create” and “update” capabilities. Create to initially create new KV pairs, and then update to update the values of those KV pairs. https://www.vaultproject.io/docs/concepts/policies
Unattempted
If Suzy needs to create AND replace values (update), she needs both “create” and “update” capabilities. Create to initially create new KV pairs, and then update to update the values of those KV pairs. https://www.vaultproject.io/docs/concepts/policies
Question 39 of 41
39. Question
Scenario:Â Kyle is a Vault administrator and has enabled the database secrets engine for dynamic credentials. Amy is a senior DBA, has been doing some cleanup work on the database clusters that she owns. She accidentally deleted some of the database users that Vault created for clients, causing problems for the applications using them.
How can Kyle manually remove the leases in Vault?
Correct
Kyle will need to delete the lease from Vault since a manual secret engine revocation will fail using the -force flag with the vault lease revoke command. This is meant for recovery situations where the secret in the target secrets engine was manually removed. If this flag is specified, -prefix is also required. This is aliased as “-f”. The default is false. https://www.vaultproject.io/docs/commands/lease/revoke
Incorrect
Kyle will need to delete the lease from Vault since a manual secret engine revocation will fail using the -force flag with the vault lease revoke command. This is meant for recovery situations where the secret in the target secrets engine was manually removed. If this flag is specified, -prefix is also required. This is aliased as “-f”. The default is false. https://www.vaultproject.io/docs/commands/lease/revoke
Unattempted
Kyle will need to delete the lease from Vault since a manual secret engine revocation will fail using the -force flag with the vault lease revoke command. This is meant for recovery situations where the secret in the target secrets engine was manually removed. If this flag is specified, -prefix is also required. This is aliased as “-f”. The default is false. https://www.vaultproject.io/docs/commands/lease/revoke
Question 40 of 41
40. Question
Tom is authenticating to Vault using the CLI. Which of the following commands allows Tom to authenticate using the userpass method WITHOUT logging his password to the shell history?
Correct
This question is really focused on the proper command to log into Vault and not necessarily the hidden password aspect of it – although it gives it a little bit of a twist 🙂
In the CLI, the shell history (if enabled) will log any commands that you type. If you enter the command vault login -method=userpass username=tom and press enter, you will be prompted to enter your credentials but they will be hidden. Linux will not log your password in the shell history. Note that vault login -method=userpass username=tom and vault login -method=userpass username=tom password=jerry are valid commands to log in to Vault. https://www.vaultproject.io/docs/auth/userpass
Incorrect
This question is really focused on the proper command to log into Vault and not necessarily the hidden password aspect of it – although it gives it a little bit of a twist 🙂
In the CLI, the shell history (if enabled) will log any commands that you type. If you enter the command vault login -method=userpass username=tom and press enter, you will be prompted to enter your credentials but they will be hidden. Linux will not log your password in the shell history. Note that vault login -method=userpass username=tom and vault login -method=userpass username=tom password=jerry are valid commands to log in to Vault. https://www.vaultproject.io/docs/auth/userpass
Unattempted
This question is really focused on the proper command to log into Vault and not necessarily the hidden password aspect of it – although it gives it a little bit of a twist 🙂
In the CLI, the shell history (if enabled) will log any commands that you type. If you enter the command vault login -method=userpass username=tom and press enter, you will be prompted to enter your credentials but they will be hidden. Linux will not log your password in the shell history. Note that vault login -method=userpass username=tom and vault login -method=userpass username=tom password=jerry are valid commands to log in to Vault. https://www.vaultproject.io/docs/auth/userpass
Question 41 of 41
41. Question
Which of the following are supported auth methods for Vault? (select six)
Correct
All of the options are valid auth methods except for Cubbyhole and Active Directory. But….I know what you’re thinking. I can totally authenticate with my Active Directory credentials….. You’re correct, but Active Directory is enabled by the LDAP auth method, and not an Active Directory auth method (yea, I’m being tricky but you should know this).
Active Directory is actually a Secrets Engine. So is Cubbyhole. https://www.vaultproject.io/docs/auth
Incorrect
All of the options are valid auth methods except for Cubbyhole and Active Directory. But….I know what you’re thinking. I can totally authenticate with my Active Directory credentials….. You’re correct, but Active Directory is enabled by the LDAP auth method, and not an Active Directory auth method (yea, I’m being tricky but you should know this).
Active Directory is actually a Secrets Engine. So is Cubbyhole. https://www.vaultproject.io/docs/auth
Unattempted
All of the options are valid auth methods except for Cubbyhole and Active Directory. But….I know what you’re thinking. I can totally authenticate with my Active Directory credentials….. You’re correct, but Active Directory is enabled by the LDAP auth method, and not an Active Directory auth method (yea, I’m being tricky but you should know this).
Active Directory is actually a Secrets Engine. So is Cubbyhole. https://www.vaultproject.io/docs/auth
Use Page numbers below to navigate to other practice tests