HashiCorp Certified: Vault Associate (003) HCVA0-003 Exam Practice Test

Answer : B

Comprehensive and Detailed In-Depth

API auth requires ongoing token use:

B . False: 'Once you authenticate using the API, subsequent requests are not automatically permitted without further interaction. Each request to Vault requires authentication using the token returned by Vault.'

Incorrect Option:

A . True: Incorrect; token must be provided.

Answer : A

The command vault secrets enable transit enables the transit secrets engine at the transit path. The transit secrets engine is a secrets engine that handles cryptographic functions on data in-transit, such as encryption, decryption, signing, verification, hashing, and random bytes generation. The transit secrets engine does not store the data sent to it, but only performs the requested operations and returns the results. The transit secrets engine can also be viewed as ''cryptography as a service'' or ''encryption as a service''. The command vault secrets enable transit uses the default path of transit for the secrets engine, but this can be changed by using the -path option. For example, vault secrets enable -path=my-transit transit would enable the transit secrets engine at the my-transit path.Reference:Transit - Secrets Engines | Vault | HashiCorp Developer,vault secrets enable - Command | Vault | HashiCorp Developer

Answer : C

Comprehensive and Detailed in Depth

A: Sealing would prevent decryption, not return encoded data. Incorrect.

B: Permission issues don't return encoded data. Incorrect.

C: Transit returns base64-encoded plaintext; decoding Y3JlZGl0LWNhcmQtbnVtYmVyCg== yields ''credit-card-number''. Correct.

D: No evidence of corruption; it's a format issue. Incorrect.

Overall Explanation from Vault Docs:

''All plaintext data must be base64-encoded... Decode it to reveal the original value.''

Answer : A, C, E, F

Comprehensive and Detailed in Depth

Batch tokens are lightweight alternatives to service tokens, with trade-offs. Let's analyze:

A: Designed for short-lived, high-performance tasks. Correct.

B: Cannot be root tokens; root status is service-token-specific. Incorrect.

C: Orphan batch tokens work in replication. Correct.

D: No accessors; unique to service tokens. Incorrect.

E: Minimal overhead makes them scalable. Correct.

F: No disk storage reduces cost. Correct.

Overall Explanation from Vault Docs:

''Batch tokens are encrypted blobs... lightweight, scalable, no storage cost, ideal for ephemeral workloads.''

Answer : D

Comprehensive and Detailed In-Depth

The requirement is to store static credentials (from Active Directory) in Vault with versioning (last 3 versions) for a CI/CD pipeline. The KV v2 secrets engine is designed for this: it stores arbitrary key-value pairs and supports versioning, allowing configuration of a maximum version count (e.g., vault kv metadata put -max-versions=3 kv/path). KV v1 (option A) lacks versioning. The LDAP engine (B) is for dynamic LDAP credentials, not static storage. The Identity engine (C) manages identities, not secrets. KV v2's versioning capability meets all needs, per its documentation.

KV v2 Docs

KV Versions Comparison

Answer : D

Comprehensive and Detailed in Depth

Vault tokens have a Time-To-Live (TTL) that determines their expiration time, after which they are revoked. Parent-child relationships mean that revoking a parent token also revokes its children, regardless of their TTLs. Let's analyze:

A: TTL 4 hours - Expires after 4 hours, no children listed.

B: TTL 6 hours - Expires after 6 hours, parent to C.

C: TTL 4 hours (child of B) - Expires after 4 hours or if B is revoked earlier.

D: TTL 3 hours - Expires after 3 hours, parent to E.

E: TTL 5 hours (child of D) - Expires after 5 hours or if D is revoked earlier.

Analysis:

Shortest TTL is D (3 hours), so it expires first unless a parent above it (none listed) is revoked sooner.

E (5 hours) is a child of D. If D is revoked at 3 hours, E is also revoked, despite its longer TTL.

A and C (4 hours) expire after D.

B (6 hours) expires last among parents.

The question asks which token(s) are revoked first based on TTL alone, not manual revocation. D has the shortest TTL (3 hours) and will be revoked first. E's revocation depends on D, but the question focuses on initial expiration. Thus, only D is revoked first based on its TTL.

Overall Explanation from Vault Docs:

Tokens form a hierarchy where child tokens inherit revocation from their parents. ''When a parent token is revoked, all of its child tokens---and all of their leases---are revoked as well.'' TTL dictates automatic expiration unless overridden by manual revocation or parent revocation. Here, D's 3-hour TTL is the shortest, making it the first to expire naturally.

Answer : D

Comprehensive and Detailed In-Depth

The AWS secrets engine generates dynamic credentials, enhancing security. The Vault documentation states:

'The best bet here is to use the AWS secrets engine to generate dynamic credentials for your AWS account(s) when Terraform is executed. You can use the Vault provider to grab these credentials for Vault and then use the credentials as inputs for your AWS provider. In this scenario, Terraform would generate credentials only when executed, and the credentials would automatically expire when the lease expires.'

--- Vault Secrets: AWS

D: Correct. Dynamic, short-lived credentials limit exposure:

'Enabling the aws secrets engine in Vault allows you to dynamically generate short-lived AWS credentials for each terraform apply.'

--- Vault Secrets: AWS

A: SSH engine is unrelated to AWS.

B: Transit encrypts data, not credentials.

C: KV stores static credentials, less secure.

Vault Secrets: AWS

Vault Provider for Terraform