HashiCorp HCVA0-003 Exam Practice Test Instant Access

Question 1

What is the default method of authentication after first initializing Vault?

ATLS certificates

BGitHub

CAdmin account

DTokens

EAppRole

FUserpass

Answer : D

Comprehensive and Detailed in Depth

After initializing Vault, the default authentication method is Tokens, specifically the root token. The HashiCorp Vault documentation states: 'After initializing, Vault provides the user the root token, which is the only way to log in to Vault in order to configure additional auth methods.' This root token is generated during initialization and serves as the initial means of authentication until other methods are configured.

The documentation further explains under the 'Token Authentication' section: 'Tokens are the core method for authentication within Vault. Upon initialization, a root token is created which can be used to configure Vault further.' TLS certificates, GitHub, AppRole, and Userpass require additional setup, and there's no default Admin account method. Thus, D (Tokens) is correct.

HashiCorp Vault Documentation - Token Authentication

Question 2

A developer has requested access to manage secrets at the path kv/apps/webapp01. You create the policy below which gives them the proper access:

path "kv/apps/webapp01" {

capabilities = ["read", "create", "update", "list"]

}

However, when the developer logs in to the Vault UI, they see the following screenshot and cannot access the desired secret. Why can't the developer see the secrets they need?

AThe Vault UI isn't enabled for the developer, therefore they will only see the default options

BThe key/value secrets engine isn't available in the Vault UI, therefore the developer should use a different Vault interface instead

CThe policy doesn't permit list access to the paths prior to the secret so the Vault UI doesn't display the mount path

DThe secrets are stored under the cubbyhole secrets engine, so the developer should browse to that secrets engine

Answer : C

Comprehensive and Detailed In-Depth

The Vault UI requires list permissions on parent paths to navigate mounts. The Vault documentation states:

'When you are using the UI, you will likely need to add additional LIST permissions to the mount (sys/mounts) and then LIST for every path up to the desired secret.'

--- Vault API: sys/mounts

C: Correct. The policy lacks list on kv/ or kv/apps/, so the UI can't display kv/:

'The policy doesn't permit list access to the paths prior to the secret so the Vault UI doesn't display the mount path.'

--- Vault Tutorials: Policies

A: Incorrect; the UI isn't user-specific.

B: Incorrect; KV is available in the UI.

D: Incorrect; the path is kv/, not cubbyhole.

Vault API: sys/mounts

Vault Tutorials: Policies

Question 3

You need to decrypt customer data to provide it to an application. When you run the decryption command, you get the output below. Why does the response not directly reveal the cleartext data?

$ vault write transit/decrypt/phone_number ciphertext="vault:v1:tgx2vsxtlQRfyLSKvem..."

Key Value

--- -----

plaintext aGFzaGljb3JwIGNlcnRpZmllZDogdmF1bHQgYXNzb2NpYXRl

AThe user does not have permission to view the cleartext data

BThe output is base64 encoded

CThe output is actually a response wrapped token that needs to be unwrapped

DThe original data must have been encrypted

Answer : B

Comprehensive and Detailed In-Depth

The Vault Transit secrets engine returns decrypted data in base64-encoded format:

B . The output is base64 encoded: 'All plaintext data must be base64-encoded before being encrypted by Vault. As a result, decrypted data is always base64 encoded.' Users must decode it (e.g., using base64 -d) to see cleartext.

Incorrect Options:

A . Permission Issue: Permissions would cause an error, not encoded output. 'Not because the user lacks permission.'

C . Wrapped Token: The output is plaintext, not a token. 'Not a response wrapped token.'

D . Original Encryption: Irrelevant; the issue is encoding, not encryption state.

This encoding ensures safe transmission of binary data.

Question 4

You need to write a new policy for Vault for a group of users on the automation team. The requirements stipulate that each user (and all future users) get access to their own private section of a KV secrets engine at the path kv/team/ and be able to manage their own secrets. Which policy below meets these requirements while minimizing the administrative effort and following the principle of least privilege?

Apath 'secret/data/groups/{{identity.groups.ids.2f62-9503-42aa7A869741.name}}/' { capabilities = ['list'] }

Bpath 'kv/team/frank/' { capabilities = ['create', 'update', 'read', 'delete'] } path 'kv/team/steve/' { capabilities = ['create', 'update', 'read', 'delete'] } path 'kv/team/bryan/' { capabilities = ['create', 'update', 'read', 'delete'] }

Cpath 'kv/team/' { capabilities = ['create', 'update', 'read', 'delete'] }

Dpath 'kv/team/{{identity.entity.id}}/' { capabilities = ['create', 'update', 'read', 'delete'] } path 'kv/team/{{identity.entity.id}}' { capabilities = ['create', 'update', 'read', 'delete'] }

Answer : D

Comprehensive and Detailed In-Depth

Templated policies with {{identity.entity.id}} provide user-specific access. The Vault documentation states:

'This policy would permit all current and future users with a custom path based on their entity ID when they log into Vault using a variable replacement within the path. Templated policies allow policy authors to create policies that can dynamically adjust based on attributes of the identity requesting access.'

--- Vault Policies: Templated Policies

D: Correct. Uses entity ID for private sections with minimal effort:

'By using {{identity.entity.id}}, each user gets access to their own private section, minimizing administrative effort as new users automatically get their own path.'

--- Vault Policies: Templated Policies

A: Group-based and only lists, not manages.

B: Hardcodes users, not scalable.

C: Grants all users access to all secrets, violating least privilege.

Vault Policies: Templated Policies

Question 5

From the options below, select the auth methods that are better suited for machine-to-machine authentication (select five):

AKubernetes

BGitHub

CTLS

DToken

EAppRole

FAWS

GLDAP

HOIDC

Answer : A, C, D, E, F

Comprehensive and Detailed in Depth

Machine-to-machine (M2M) auth methods in Vault enable automated systems to authenticate without human interaction. Let's assess:

A: Kubernetes - Uses service account tokens for pods. Correct.

Vault Docs Insight: ''Kubernetes auth... ideal for workloads in Kubernetes clusters.''

B: GitHub - User-focused, requires human GitHub login. Incorrect.

Vault Docs Insight: ''GitHub auth... typically for human users.''

C: TLS - Certificate-based, perfect for M2M. Correct.

Vault Docs Insight: ''TLS auth uses certificates... suited for machine authentication.''

D: Token - Pre-generated tokens for automation. Correct.

Vault Docs Insight: ''Token auth... can be used by machines with proper management.''

E: AppRole - RoleID/SecretID for apps. Correct.

Vault Docs Insight: ''AppRole is designed for machine-to-machine authentication...''

F: AWS - IAM roles for AWS resources. Correct.

Vault Docs Insight: ''AWS auth... automated for AWS-based machines.''

G: LDAP - User directory-based, human-oriented. Incorrect.

Vault Docs Insight: ''LDAP... commonly for human user authentication.''

H: OIDC - User SSO, not M2M. Incorrect.

Vault Docs Insight: ''OIDC... for human single sign-on.''

Overall Explanation from Vault Docs:

''Examples of machine auth methods include AppRole, AWS, Kubernetes, TLS, and Token... Human auth methods include LDAP, GitHub, OIDC.''

Question 6

Kyle enabled the database secrets engine for dynamic credentials. Amy, the senior DBA, accidentally deleted the database users created by Vault, disrupting client applications. How can Kyle manually remove the leases in Vault?

ANo action is required since the leases will eventually expire and be revoked

BObtain the individual lease IDs from the application logs and remove them using the vault lease revoke command

CUse the command vault lease revoke -force flag to delete the leases

DRevoke all of the leases associated with the entire database secrets engine to be sure they are all removed

Answer : C

Comprehensive and Detailed In-Depth

To clean up disrupted leases:

C . vault lease revoke -force: 'Using the vault lease revoke -force flag is the correct way to manually remove leases in Vault.' With -prefix, it targets specific leases (e.g., vault lease revoke -force -prefix database/creds/<role>). 'This is meant for recovery situations where the secret was manually removed.'

Incorrect Options:

A: Waiting risks ongoing issues. 'May take time and could cause disruptions.'

B: Inaccurate; -force is needed. 'Not a valid approach without -force.'

D: Too broad, affects other leases. 'May impact other valid credentials.'

Question 7

When generating dynamic credentials, Vault also creates associated metadata, including information like time duration, renewability, and more, and links it to the credentials. What is this referred to as?

ASecret

BToken

CLease

DSecrets engine

Answer : C

Comprehensive and Detailed in Depth

A: Secrets are the credentials themselves, not the metadata. Incorrect.

B: Tokens authenticate clients, not the metadata for credentials. Incorrect.

C: A lease is metadata tied to dynamic secrets, managing their lifecycle (TTL, renewability). Correct.

D: Secrets engines generate secrets, not the metadata. Incorrect.

Overall Explanation from Vault Docs:

''With every dynamic secret... Vault creates a lease: metadata containing TTL, renewability, etc.''

HashiCorp HCVA0-003 HashiCorp Certified: Vault Associate (003) Exam Practice Test