Vault
Associate

Sample Questions - Vault Associate Certification

  • 8min

  • Vault

The exam mainly consists of multiple choice and true/false questions. In addition, there are UI area selection questions. Some of the multiple choice questions are scenario-based questions to test your understanding of Vault usages.

Below are some examples so you can familiarize yourself with the exam format.

True/false questions

Q1: When Vault is sealed, it can access the physical storage but cannot read the data because it does not know how to decrypt them.

🔘 True
🔘 False

✅ Correct: True
❌ Incorrect: False

Source: Vault Seal/Unseal

Q2: Batch tokens can be renewed indefinitely.

🔘 True
🔘 False

❌ Incorrect: True
✅ Correct: False

Source: Vault Tokens

Q3: To seal a Vault, the client token must have the sudo capability on the sys/seal path.

🔘 True
🔘 False

✅ Correct: True
❌ Incorrect: False

Source: Vault /sys/seal

Select one

Q4: Which statement is true about an orphan token?

🔘 It does not expire when its parent does
🔘 It is not persisted
🔘 It does not have a max time-to-live (TTL)
🔘 It has a use limit

✅ Correct: It does not expire when its parent does
❌ Incorrect: It is not persisted
❌ Incorrect: It does not have a max time-to-live (TTL)
❌ Incorrect: It has a use limit

Source: Vault Token

Q5: Which path will this policy allow?

path "kv/+/team_*" {
    capabilities = [ "read" ]
}

🔘 kv/team_edu
🔘 kv/us-west/team
🔘 kv/us-west/team_edu
🔘 kv/us-west/ca/team_edu

❌ Incorrect: kv/team_edu
❌ Incorrect: kv/us-west/team
✅ Correct: kv/us-west/team_edu
❌ Incorrect: kv/us-west/ca/team_edu

Source: Vault Policies

Q6: An organization needs to protect sensitive application data currently stored in a database as plaintext. Which secrets engine provides a solution?

🔘 Key/Value v2 secrets engine
🔘 Cubbyhole secrets engine
🔘 Transit secrets engine
🔘 Database secrets engine

❌ Incorrect: Key/Value v2 secrets engine
❌ Incorrect: Cubbyhole secrets engine
✅ Correct: Transit secrets engine
❌ Incorrect: Database secrets engine

Source: Vault Transit Secrets Engine

Q7: Which command will retrieve all enabled secrets engines?

🔘 vault secrets get
🔘 vault secrets read
🔘 vault secrets list
🔘 vault secrets move

❌ Incorrect: vault secrets get
❌ Incorrect: vault secrets read
✅ Correct: vault secrets list
❌ Incorrect: vault secrets move

Source: Vault secrets list

Multiple choice questions

Some multiple choice questions have more than one correct answer you must select. In such a case, the question explicitly states so. Read the question carefully.

Q8: What is true of Vault tokens? Choose TWO correct answers.

  • Vault tokens are generated by every authentication method login
  • Vault tokens are also known as unseal keys
  • Vault tokens are required for every Vault call
  • Vault token IDs always begin with "s." such as s.E7rOurS2n7m2Dt5409jWxR87
  • Vault tokens are the core method for authentication in Vault

✅ Correct: Vault tokens are generated by every authentication method login
❌ Incorrect: Vault tokens are also known as unseal keys
❌ Incorrect: Vault tokens are required for every Vault call
❌ Incorrect: Vault token IDs always begin with "s." such as s.E7rOurS2n7m2Dt5409jWxR87
✅ Correct: Vault tokens are the core method for authentication in Vault

Source: Vault Tokens

Q9: Which statements correctly describe the command below. Choose TWO correct answers.

vault write transit/decrypt/password \
  ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
  • Returns an error due to missing encryption key name
  • Returns base64-encoded plaintext
  • Decrypts the ciphertext if the token permits
  • Returns the ciphertext
  • Requires sudo capability on the transit/decrypt/password path

❌ Incorrect: Returns an error due to missing encryption key name
✅ Correct: Returns base64-encoded plaintext
✅ Correct: Decrypts the ciphertext if the token permits
❌ Incorrect: Returns the ciphertext
❌ Incorrect: Requires sudo capability on the transit/decrypt/password path

Source: Vault Transit Secrets Engine

Q10: Which of the following statements explains the benefit of response wrapping? Choose TWO correct answers.

  • Limits the time of secret exposure by having a short-lived wrapping token
  • Allow versioning of the secrets
  • It protects Vault's root key (previously known as master key)
  • Only the reference to the secrets is transmitted over the public network
  • Limits the size of secrets to be transmitted over the network

✅ Correct: Limits the time of secret exposure by having a short-lived wrapping token
❌ Incorrect: Allow versioning of the secrets
❌ Incorrect: It protects Vault's root key (previously known as master key)
✅ Correct: Only the reference to the secrets is transmitted over the public network
❌ Incorrect: Limits the size of secrets to be transmitted over the network

Source: Vault Response Wrapping

Q11: Your organization has recently adopted Vault open source. You have been asked to enable the Vault K/V Version 2 secrets engine by two different teams. Company policy states the teams can not share the same secret engine. What are two possible solutions?

  • Enable the secret engine at a dedicated path for each team using the -path parameter
  • Create a namespace for each of the teams and enable the secret engine in the teams namespace
  • Only one type of secret engine can be enabled on a Vault cluster
  • Deploy a second Vault cluster, one for each team
  • Enable the secret engine at the default path and create policies that limit what each team can list, read, and write

✅ Correct: Enable the secret engine at a dedicated path for each team using the -path parameter
❌ Incorrect: Create a namespace for each of the teams and enable the secret engine in the teams namespace
❌ Incorrect: Only one type of secret engine can be enabled on a Vault cluster
✅ Correct: Deploy a second Vault cluster, one for each team
❌ Incorrect: Enable the secret engine at the default path and create policies that limit what each team can list, read, and write

Source:
Vault secrets enable
Vault Enterprise Namespaces

Vault UI questions

Q12: You need to edit a policy, but the UI appears as shown. What is the problem?

🔘 This is an UI error. Contact support.
🔘 You don't have a permission to manage policies.
🔘 Vault UI does not support policy creation and management.
🔘 Use the command shell in UI to manage policies.

❌ Incorrect: This is an UI error. Contact support.
✅ Correct: You don't have a permission to manage policies.
❌ Incorrect: Vault UI does not support policy creation and management.
❌ Incorrect: Use the command shell in UI to manage policies.

Source: Vault Policies

Q13: Where on the page would you click to display the list of available Vault-created encryption keys.

To answer this question: Use your mouse to click on the screenshot in the location described above. An arrow indicator will mark where you have clicked. Click the "Answer" button once you have positioned the arrow to answer the question. You may need to scroll down to see the entire screenshot.

Source: Vault Transit Secrets Engine

Note

The source of this answer is based on the API documentation. The Vault web user interface uses the same APIs you can use via your preferred programing language or CLI tools.

Vault CLI output questions

Q14: Based on the token lookup output, what type of token is it ?

Key                 Value
---                 -----
accessor            n/a
creation_time       1646698338
creation_ttl        20m
display_name        token
entity_id           n/a
expire_time         2022-03-07T16:32:18-08:00
explicit_max_ttl    0s
id                  hvb.AAAAAQJyBEVE-vTWUrg0hcoIPuvKjjNxXXZ5MfsYVg2gJ0fGZpVi0IGTFfh4TqsoQIWaocNRXD1qzGXvhIHWJBM_rWU9YJY8sXOYVy_s1JAHasXJwGmZ_fBLJfSG6aCwQkCGwtAhYw
issue_time          2022-03-07T16:12:18-08:00
meta                <nil>
num_uses            0
orphan              false
path                auth/token/create
policies            [default test]
renewable           false
ttl                 13m58s
type                batch

🔘 root
🔘 batch
🔘 orphan
🔘 periodic

❌ Incorrect: root
✅ Correct: batch
❌ Incorrect: orphan
❌ Incorrect: periodic

Source: Vault Tokens

Q15: Based on the token lookup output, how many times can the token be used?

Key                 Value
---                 -----
accessor            GMAlk9ZNLGOCuTrOEIAooJG3
creation_time       1646691009
creation_ttl        1h
display_name        token
entity_id           n/a
expire_time         2022-03-07T15:10:09.115115-08:00
explicit_max_ttl    0s
id                  hvs.CAESIJRM-T1q5lEjIWux1Tjx-VGqAYJdd4FZtbp1wpD5Ym9pGh4KHGh2cy5TSjRndGoxaU44NzNscm5MSlRLQXZ0ZGg
issue_time          2022-03-07T14:10:09.115118-08:00
meta                <nil>
num_uses            1
orphan              false
path                auth/token/create
policies            [default]
renewable           true
ttl                 58m14s
type                service

🔘 Until the TTL expires in 58m14s
🔘 1 time
🔘 The token has expired because max TTL is already at 0s
🔘 This token does not expire because the default policy is attached

❌ Incorrect: Until the TTL expires in 58m14s
✅ Correct: 1 time
❌ Incorrect: The token has expired because max TTL is already at 0s
❌ Incorrect: This token does not expire because the default policy is attached

Source: Vault Tokens

Next steps

The Review Guide lists a table of exam objectives with its corresponding documentation and the learn tutorial link. Use the table as your check-list to prepare for the exam.

Previous
Next