HashiCorp Certified: Vault Associate (003)Exam (HCVA0-003) Free Practice Test

Question 1

You are using the Vault API to test authentication before modifying your CI/CD pipeline to properly authenticate to Vault. You manually authenticate to Vault and receive the response below. Based on the provided options, which of the following are true? (Select four)
* $ curl \
* --request POST \
* --data @payload.json \
* https://vault.krausen.com:8200/v1/auth/userpass/login/bryan.krausen | jq
* *******************************************************************************
* ******* RESPONSE BELOW ********************************************************
* *******************************************************************************
* {
* "request_id": "f758e8da-11b6-8341-d404-56f0c370a7fa",
* "lease_id": "",
* "renewable": false,
* "lease_duration": 0,
* "data": null,
* "wrap_info": null,
* "warnings": null,
* "auth": {
* "client_token": "hvs.CbzCNJCVWt63jyzyaJakgDwz",
* "accessor": "rffwXzKFcxvaQi6Vgo8tY4Lt",
* "policies": [
* "training",
* "default"
* ],
* "token_policies": [
* "training",
* "default"
* ],
* "metadata": {
* "username": "bryan.krausen"
* },
* "lease_duration": 84600,
* "renewable": true,
* "entity_id": "f1795f6a-c576-d619-b2d5-74c0aee08edb",
* "token_type": "service",
* "orphan": true
* }
* }

A. The returned token is a batch token

B. The token required to retrieve a secret is hvs.CbzCNJCVWt63jyzyaJakgDwz

C. The user needs to retrieve .auth.client_token in order to perform other actions

D. The accessor will be used to authenticate to Vault to retrieve secrets

E. The user is using the userpass auth method

F. The user's password is stored in a file named payload.json

Correct Answer: B,C,E,F

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

What API endpoint is used to enable and configure a secrets engine?

A. /v1/sys/plugins/catalog

B. /v1/sys/mounts

C. /v1/sys/init

D. /v1/sys/config

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

True or False? The command vault lease revoke -prefix aws/ will revoke all leases associated with the secret engine mounted at /aws.

A. False

B. True

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

Your organization operates active/active applications across multiple data centers for high availability. Which Vault feature should be used in the secondary data centers to provide local access to secrets?

A. Performance standby nodes

B. Disaster recovery cluster

C. Performance replication cluster

D. Customized plugins for the Vault cluster

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

Which of the following are accurate statements regarding the use of a KV v2 secrets engine (select three)?

A. Issuing a vault kv destroy command permanently deletes the current version of the secret

B. Issuing a vault kv metadata delete command permanently deletes the secret

C. Issuing a vault kv delete command performs a soft delete of the current version

D. Issuing a vault kv destroy command deletes all versions of a secret

Correct Answer: A,B,C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

A new Vault administrator is writing a CURL command (shown below) to retrieve a secret stored in a KV v2 secrets engine at secret/audio/soundbooth but is receiving an error. What could be the cause of the error?
$ curl \
--header "X-Vault-Token: hvs.rffHw0iXqkRo19b2cjf93DM39WjpbN3J" \
https://vault.unlimited.com:8200/v1/secret/audio/soundbooth

A. The request is being made on the incorrect endpoint and should be:
$ curl \
--header "X-Vault-Token: hvs.rffHw0iXqkRo19b2cjf93DM39WjpbN3J" \
https://vault.unlimited.com:8200/v1/secret/data/audio/soundbooth

B. The endpoint should point to v2 since this is a KV v2 secrets engine:
$ curl \
--header "X-Vault-Token: hvs.rffHw0iXqkRo19b2cjf93DM39WjpbN3J" \
https://vault.unlimited.com:8200/v2/secret/audio/soundbooth

C. The VAULT_ADDR environment variable wasn't set, so it should be configured: export VAULT_ADDR="https://vault.unlimited.com:8200"

D. The user's token doesn't permit access to the Vault API, only the UI

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

Tommy has written an AWS Lambda function that will perform certain tasks for the organization when data has been uploaded to an S3 bucket. Security policies for the organization do not allow Tommy to hardcode any type of credential within the Lambda code or environment variables. However, Tommy needs to retrieve a credential from Vault to write data to an on-premises database. What auth method should Tommy use in Vault to meet the requirements while not violating security policies?

A. Userpass

B. AppRole

C. AWS

D. Token

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 8

Which of the following features are not available in the Vault Community version?

A. HSM auto-unseal

B. Dynamic secrets engines

C. Multi-factor authentication (auth)

D. Event notifications and filtering

E. Single sign-on support

F. Cloud KMS auto-unseal

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 9

You want to integrate a third-party application to retrieve credentials from the HashiCorp Vault API. How can you accomplish this without having direct access to the source code?

A. Use the Vault Agent to obtain secrets and provide them to the application

B. Put in a request to the third-party application vendor

C. You cannot integrate a third-party application with Vault without being able to modify the source code

D. Instead of the API, have the application use the Vault CLI to retrieve credentials

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 10

A user is assigned the following policy, and they can successfully retrieve secrets using the CLI. However, the user reports receiving an error message in the UI. Why can't the user access the secret in the Vault UI?
path "kv/apps/app01" { capabilities = ["read"] }
Successful retrieval using the CLI

(Error: Permission denied in UI)

A. The user needs list permissions to browse the UI

B. The user doesn't have permissions to retrieve the data from the UI, only the CLI

C. The user doesn't know what they're doing

D. The user's token is invalid

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 11

Which of the following are benefits of using the Vault Secrets Operator (VSO)? (Select three)

A. Automatic secret drift and remediation

B. Bi-directional sync between Vault and Kubernetes Secrets

C. Support for syncing from multiple secret sources

D. Automatic secret rotation for multiple Kubernetes resource types

Correct Answer: A,C,D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 12

You have deployed an application that needs to encrypt data before writing to a database. What secrets engine should you use?

A. Transit

B. SSH

C. PKI

D. TOTP

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 13

Which statement describes the results of this command: $ vault secrets enable transit

A. Requires a root token to execute the command successfully

B. Enables the transit secrets engine at transit path

C. Enables the transit secrets engine at secret path

D. Fails due to missing -path parameter

E. Fails because the transit secrets engine is enabled by default

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 14

Which statement best describes the process of sealing a Vault instance?

A. Run the vault operator seal command, which securely discards the master key from memory and prevents further operations until unsealed.

B. Run vault operator rotate to rotate the Vault tokens for all clients, causing them to reauthenticate with the Vault.

C. Disable the TLS certificates on the Vault server by running vault secrets disable pki, blocking all requests.

D. Revoke all leases so no secrets can be accessed using vault lease revoke, but keep the master key in memory for quick recovery.

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 15

You need to decrypt customer data to provide it to an application. When you run the decryption command, you get the output below. Why does the response not directly reveal the cleartext data?
$ vault write transit/decrypt/phone_number ciphertext="vault:v1:tgx2vsxtlQRfyLSKvem..." Key Value
--- -----
plaintext aGFzaGljb3JwIGNlcnRpZmllZDogdmF1bHQgYXNzb2NpYXRl

A. The original data must have been encrypted

B. The output is base64 encoded

C. The output is actually a response wrapped token that needs to be unwrapped

D. The user does not have permission to view the cleartext data

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

HashiCorp Certified: Vault Associate (003)Exam (HCVA0-003) Free Practice Test