HashiCorp Vault-Associate HashiCorp Certified: Vault Associate (002) Exam Practice Test

Page: 1 / 14
Total 57 questions
Question 1

Running the second command in the GUI CLI will succeed.



Answer : B

Running the second command in the GUI CLI will fail. The second command is vault kv put secret/creds passcode=my-long-passcode. This command attempts to write a secret named creds with the value passcode=my-long-passcode to the secret path, which is the default path for the kv secrets engine. However, the kv secrets engine is not enabled at the secret path, as shown by the first command vault secrets list, which lists the enabled secrets engines and their paths. The only enabled secrets engine is the transit secrets engine at the transit path. Therefore, the second command will fail with an error message saying that no secrets engine is mounted at the path secret/. To make the second command succeed, the kv secrets engine must be enabled at the secret path or another path, using the vault secrets enable command. For example, vault secrets enable -path=secret kv would enable the kv secrets engine at the secret path.Reference:kv - Command | Vault | HashiCorp Developer,vault secrets enable - Command | Vault | HashiCorp Developer


Question 2

A developer mistakenly committed code that contained AWS S3 credentials into a public repository. You have been tasked with revoking the AWS S3 credential that was in the code. This credential was created using Vault's AWS secrets engine and the developer received the following output when requesting a credential from Vault.

Which Vault command will revoke the lease and remove the credential from AWS?



Answer : A

The correct answer is A because the lease ID is the unique identifier for the credential. The lease ID is used to revoke the credential using the vault lease revoke command. This command will invalidate the credential immediately and prevent any further renewals.It will also delete the access key and secret key from AWS, rendering them useless1. The access key and secret key are not sufficient to revoke the credential, as they are not recognized by Vault. The lease ID is composed of the path of the secrets engine, the role name, and a random UUID. In this case, the path is aws/creds, the role name is s3-access, and the UUID is f3e92392-7d9c-99c8-c921-57Sd62fe89d8.


lease revoke - Command | Vault | HashiCorp Developer

Question 3

How would you describe the value of using the Vault transit secrets engine?



Answer : D

The transit secrets engine relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault. The transit secrets engine provides encryption as a service, which means that it performs cryptographic operations on data in-transit without storing any data. This allows developers to delegate the responsibility of managing encryption keys and algorithms to Vault operators, who can define and enforce policies on the transit secrets engine. This way, developers can focus on their application logic and data, while Vault handles the encryption and decryption of data in a secure and scalable manner.Reference:Transit - Secrets Engines | Vault | HashiCorp Developer,Encryption as a service: transit secrets engine | Vault | HashiCorp Developer


Question 4

Which of the following describes usage of an identity group?



Answer : D

An identity group is a collection of entities that share some common attributes. An identity group can have one or more policies attached to it, which are inherited by all the members of the group. An identity group can also have subgroups, which can further refine the policies and attributes for a subset of entities.

One of the use cases of an identity group is to consistently apply the same set of policies to a collection of entities. For example, an organization may have different teams or departments, such as engineering, sales, or marketing. Each team may have its own identity group, with policies that grant access to the secrets and resources that are relevant to their work. By creating an identity group for each team, the organization can ensure that the entities belonging to each team have the same level of access and permissions, regardless of which authentication method they use to log in to Vault.Reference:Identity: entities and groups | Vault | HashiCorp Developer,vault_identity_group | Resources | hashicorp/vault | Terraform | Terraform Registry


Question 5

Which of the following is a machine-oriented Vault authentication backend?



Answer : B

AppRole is a machine-oriented authentication method that allows machines or applications to authenticate with Vault using a role ID and a secret ID. The role ID is a unique identifier for the application, and the secret ID is a single-use credential that can be delivered to the application securely.AppRole is designed to provide secure introduction of machines and applications to Vault, and to support the principle of least privilege by allowing fine-grained access control policies to be attached to each role1.

Okta, GitHub, and Transit are not machine-oriented authentication methods.Okta and GitHub are user-oriented authentication methods that allow users to authenticate with Vault using their Okta or GitHub credentials23.Transit is not an authentication method at all, but a secrets engine that provides encryption as a service4.


AppRole Auth Method | Vault | HashiCorp Developer

Okta Auth Method | Vault | HashiCorp Developer

GitHub Auth Method | Vault | HashiCorp Developer

Transit Secrets Engine | Vault | HashiCorp Developer

Question 6

Which of the following describes the Vault's auth method component?



Answer : A

The Vault's auth method component is the component that performs authentication and assigns identity and policies to a client. It verifies a client against an internal or external system, and generates a token with the appropriate policies attached. The token can then be used to access the secrets and resources that are authorized by the policies. Vault supports various auth methods, such as userpass, ldap, aws, kubernetes, etc., that can integrate with different identity providers and systems. The auth method component can also handle token renewal and revocation, as well as identity grouping and aliasing.Reference:Auth Methods | Vault | HashiCorp Developer,Authentication - Concepts | Vault | HashiCorp Developer


Question 7

You can build a high availability Vault cluster with any storage backend.



Answer : B

Not all storage backends support high availability mode for Vault. Only the storage backends that support locking can enable Vault to run in a multi-server mode where one server is active and the others are standby. Some examples of storage backends that support high availability mode are Consul, Integrated Storage, and ZooKeeper.Some examples of storage backends that do not support high availability mode are Filesystem, MySQL, and PostgreSQL.Reference: https://developer.hashicorp.com/vault/docs/concepts/ha1, https://developer.hashicorp.com/vault/docs/configuration/storage2


Page:    1 / 14   
Total 57 questions