HashiCorp Certified: Vault Associate (003) HCVA0-003 Exam Questions

Answer : D

Comprehensive and Detailed In-Depth

The Vault Agent with Auto-Auth is ideal for legacy apps unable to modify for authentication. The Vault documentation states:

'Legacy applications often suffer from the ability to integrate with modern platforms such as Vault. To assist with this, you can use the Vault Agent to authenticate and manage a Vault token automatically. The token is written to a sink (local file) that the application can pick up and use. The Vault Agent Auto Auth feature will manage the lifecycle of the token to ensure there is always a valid token that the application can use.'

--- Vault Agent Auto Auth

D: Correct. The Agent handles tokens for Transit encryption:

'Running the Vault Agent on the application server(s) and utilizing the Auto Auth feature is the best way to integrate Vault with the legacy application.'

--- Vault Agent Auto Auth

A: Transit doesn't send data directly.

B: Requires app modification, not feasible.

C: Kubernetes auth requires app changes and Kubernetes context.

Vault Agent Auto Auth

Vault Secrets: Transit

Answer : C

A lease ID is a unique identifier that is assigned by Vault to every dynamic secret and service type authentication token. A lease ID contains information such as the secret path, the secret version, the secret type, etc. A lease ID can be used to track and revoke access granted to a job by Vault at completion, as it allows the scheduler to perform the following operations:

Lookup the lease information by using the vault lease lookup command or the sys/leases/lookup API endpoint. This will return the metadata of the lease, such as the expire time, the issue time, the renewable status, and the TTL.

Renew the lease if needed by using the vault lease renew command or the sys/leases/renew API endpoint. This will extend the validity of the secret or the token for a specified increment, or reset the TTL to the original value if no increment is given.

Revoke the lease when the job is completed by using the vault lease revoke command or the sys/leases/revoke API endpoint. This will invalidate the secret or the token immediately and prevent any further renewals. For example, with the AWS secrets engine, the access keys will be deleted from AWS the moment a lease is revoked.

A lease ID is different from a token ID or a token accessor. A token ID is the actual value of the token that is used to authenticate to Vault and perform requests. A token ID should be treated as a secret and protected from unauthorized access. A token accessor is a secondary identifier of the token that is used for token management without revealing the token ID. A token accessor can be used to lookup, renew, or revoke a token, but not to authenticate to Vault or access secrets. A token ID or a token accessor can be used to revoke the token itself, but not the leases associated with the token. To revoke the leases, a lease ID is required.

An authentication method is a way to verify the identity of a user or a machine and issue a token with appropriate policies and metadata. An authentication method is not an object that can be tracked or revoked, but a configuration that can be enabled, disabled, tuned, or customized by using the vault auth commands or the sys/auth API endpoints.

Answer : B

Batch tokens are a type of tokens that are not persisted in Vault's storage backend, but are encrypted blobs that carry enough information to perform Vault actions. Batch tokens are extremely lightweight and scalable, and can improve the throughput for token generation. Batch tokens are suitable for high-volume and ephemeral workloads, such as containers or serverless functions, that require short-lived and non-renewable tokens. Batch tokens can be created by using the -type=batch flag in the vault token create command, or by configuring the token_type parameter in the auth method's role or mount options. Batch tokens have some limitations compared to service tokens, such as the lack of renewal, revocation, listing, accessor, and cubbyhole features.Therefore, batch tokens should be used with caution and only when the trade-offs are acceptable.Reference: https://developer.hashicorp.com/vault/tutorials/tokens/batch-tokens1, https://developer.hashicorp.com/vault/docs/commands/token/create2, https://developer.hashicorp.com/vault/docs/concepts/tokens#token-types3

Answer : A

Comprehensive and Detailed in Depth

Vault's encryption mechanism is a core security feature. The HashiCorp Vault documentation states: 'When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn't know how to decrypt any of it. Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data, allowing access to the Vault.' It further explains: 'Vault uses encryption to secure data at rest and in transit, using an encryption key protected by the root key.'

The documentation details: 'The data stored by Vault is encrypted using an encryption key in the keyring. This keyring is itself encrypted by the root key, which is protected by the unseal process (e.g., Shamir's Secret Sharing or auto-unseal). Vault ensures data is encrypted both at rest in the storage backend and in transit over the network using TLS.' Option B is false---the root key is never stored in plaintext. Option C is incorrect---data is encrypted at rest, not just in transit. Option D is wrong---Vault performs encryption internally, not via third-party services. Thus, A is correct.

HashiCorp Vault Documentation - Seal Concepts

Answer : D

Comprehensive and Detailed In-Depth

The requirement is to store static credentials (from Active Directory) in Vault with versioning (last 3 versions) for a CI/CD pipeline. The KV v2 secrets engine is designed for this: it stores arbitrary key-value pairs and supports versioning, allowing configuration of a maximum version count (e.g., vault kv metadata put -max-versions=3 kv/path). KV v1 (option A) lacks versioning. The LDAP engine (B) is for dynamic LDAP credentials, not static storage. The Identity engine (C) manages identities, not secrets. KV v2's versioning capability meets all needs, per its documentation.

KV v2 Docs

KV Versions Comparison

Answer : A

Comprehensive and Detailed in Depth

For human-based authentication with Azure Active Directory (AzureAD), the OIDC/JWT authentication method is the best choice. The HashiCorp Vault documentation explains: 'The OIDC/JWT auth method is the best choice here. The organization should configure Vault to send authentication requests to AzureAD, which can then validate credentials on behalf of the user.' OIDC (OpenID Connect) leverages AzureAD as an identity provider, allowing users to authenticate via their AzureAD credentials in a secure, human-friendly manner.

Okta is a separate identity provider, not directly tied to AzureAD. Active Directory auth is deprecated and less suitable for cloud-based AzureAD integration. UserPass uses a local Vault-managed username/password, not external AzureAD authentication. Thus, A (OIDC/JWT) is correct.

HashiCorp Vault Documentation - JWT/OIDC Auth Method

Answer : A

Comprehensive and Detailed in Depth

The statement is True. The vault lease revoke -prefix aws/ command revokes all leases under the specified prefix. The HashiCorp Vault documentation states: 'The vault lease revoke command is used to revoke leases. Using the -prefix flag allows you to revoke entire trees of secrets.' When applied to aws/, it targets all leases associated with the secrets engine mounted at that path.

The docs further explain under 'Prefix-Based Revocation': 'The -prefix option allows revocation of all leases that share a common prefix, effectively cleaning up all secrets under a mount point or path.' Thus, A (True) is correct.

HashiCorp Vault Documentation - Leases: Prefix-Based Revocation