Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

Vault Associate 002 by HashiCorp - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

That's the end of the Preview

Create a free account to unlock all questions for this exam.

Log In / Sign Up

Page 1 of 4 • Questions 1-25 of 93

1 2 3 4

→

Know a question that should be here? Contribute to this exam

You are using the Vault userpass auth method mounted at auth/userpass. How do you create a new user named "sally" with password "h0wN0wB4r0wnC0w"? This new user will need the power-users policy.

A
B
C
D

What command creates a secret with the key "my-password" and the value "53cr3t" at path "my-secrets" within the KV secrets engine mounted at "secret"?

A vault kv put secret/my-secrets/my-password 53cr3t
B vault kv write secret/my-secrets/my-password 53cr3t
C vault kv write 53cr3t my-secrets/my-password
D vault kv put secret/my-secrets my-password-53cr3t

What can be used to limit the scope of a credential breach?

A Storage of secrets in a distributed ledger
B Enable audit logging
C Use of a short-lived dynamic secrets
D Sharing credentials between applications

What environment variable overrides the CLI’s default Vault server address?

A VAULT_ADDR
B VAULT_HTTP_ADDRESS
C VAULT_ADDRESS
D VAULT_HTTPS_ADDRESS

Which of the following statements describe the CLI command below?
$ vault login -method=ldap username=mitchellh

A Generates a token which is response wrapped
B You will be prompted to enter the password
C By default, the generated token is valid for 24 hours
D Fails because the password is not provided

The following three policies exist in Vault What do these policies allow an organization to do? app.hcl

callcenter.hcl

rewrap.hcl

A Separates permissions allowed on actions associated with the transit secret engine
B Nothing, as the minimum permissions to perform useful tasks are not present
C Encrypt decrypt, and rewrap data using the transit engine all in one policy
D Create a transit encryption key for encrypting, decrypting, and rewrapping encrypted data

Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?

A Google Cloud Secrets Engine
B Identity secrets engine
C Key/Value secrets engine version 2
D SSH secrets engine

Which of these is not a benefit of dynamic secrets?

A Supports systems which do not natively provide a method of expiring credentials
B Minimizes damage of credentials leaking
C Ensures that administrators can see every password used
D Replaces cumbersome password rotation tools and practices

Which of the following cannot define the maximum time-to-live (TTL) for a token?

A By the authentication method
B By the client system
C By the mount endpoint configuration
D A parent token TTL
E System max TTL

What are orphan tokens?

A Orphan tokens are tokens with a use limit so you can set the number of uses when you create them
B Orphan tokens are not children of their parent; therefore, orphan tokens do not expire when their parent does
C Orphan tokens are tokens with no policies attached
D Orphan tokens do not expire when their own max TTL is reached

To give a role the ability to display or output all of the end points under the /secrets/apps/* end point it would need to have which capability set?

A update
B read
C sudo
D list
E None of the above

The vault lease renew command increments the lease time from:

A The current time
B The end of the lease

You have been tasked with writing a policy that will allow read permissions for all secrets at path secret/bar. The users that are assigned this policy should also be able to list the secrets. What should this policy look like?

A
B
C
D

When using Integrated Storage, which of the following should you do to recover from possible data loss?

A Failover to a standby node
B Use snapshot
C Use audit logs
D Use server logs

How many Shamir’s key shares are required to unseal a Vault instance?

A All key shares
B A quorum of key shares
C One or more keys
D The threshold number of key shares

Which of these are a benefit of using the Vault Agent?

A Vault Agent allows for centralized configuration of application secrets engines
B Vault Agent will auto-discover which authentication mechanism to use
C Vault Agent will enforce minimum levels of encryption an application can use
D Vault Agent will manage the lifecycle of cached tokens and leases automatically

Which of the following describes usage of an identity group?

A Limit the policies that would otherwise apply to an entity in the group
B When they want to revoke the credentials for a whole set of entities simultaneously
C Audit token usage
D Consistently apply the same set of policies to a collection of entities

Vault supports which type of configuration for source limited token?

A Cloud-bound tokens
B Domain-bound tokens
C CIDR-bound tokens
D Certificate-bound tokens

Where does the Vault Agent store its cache?

A In a file encrypted using the Vault transit secret engine
B In the Vault key/value store
C In an unencrypted file
D In memory