HashiCorp HashiCorp Certifications VAULT-ASSOCIATE Questions & Answers

• Question 41:

  When unsealing Vault, each Shamir unseal key should be entered:

  A. Sequentially from one system that all of the administrators are in front of

  B. By different administrators each connecting from different computers

  C. While encrypted with each administrators PGP key

  D. At the command line in one single command

  Correct Answer: B

  When unsealing Vault, each Shamir unseal key should be entered by different administrators each connecting from different computers. This is because the Shamir unseal keys are split into shares that are distributed to trusted operators, and no single operator should have access to more than one share. This way, the unseal process requires the cooperation of a quorum of key holders, and enhances the security and availability of Vault. The unseal keys can be entered via multiple mechanisms from multiple client machines, and the process is stateful. The order of the keys does not matter, as long as the threshold number of keys is reached. The unseal keys should not be entered at the command line in one single command, as this would expose them to the history and compromise the security. The unseal keys should not be encrypted with each administrator's PGP key, as this would prevent Vault from decrypting them and reconstructing the master key. References: https://developer.hashicorp.com/vault/docs/concepts/seal3, https://developer.hashicorp.com/vault/docs/commands/operator/unseal

• Question 42:

  Which of the following statements describe the secrets engine in Vault? Choose three correct answers.

  A. Some secrets engines simply store and read data

  B. Once enabled, you cannot disable the secrets engine

  C. You can build your own custom secrets engine

  D. Each secrets engine is isolated to its path

  E. A secrets engine cannot be enabled at multiple paths

  Correct Answer: ACD

  Secrets engines are components that store, generate, or encrypt data in Vault. They are enabled at a specific path in Vault and have their own API and configuration. Some of the statements that describe the secrets engines in Vault are:

  Some secrets engines simply store and read data, such as the key/value secrets engine, which acts like an encrypted Redis or Memcached. Other secrets engines perform more complex operations, such as generating dynamic credentials,

  encrypting data, issuing certificates, etc1.

  You can build your own custom secrets engine by using the plugin system, which allows you to write and run your own secrets engine as a separate process that communicates with Vault over gRPC. You can also use the SDK to create your

  own secrets engine in Go and compile it into Vault2. Each secrets engine is isolated to its path, which means that the secrets engine cannot access or interact with other secrets engines or data outside its path. The path where the secrets

  engine is enabled can be customized and can have multiple segments. For example, you can enable the AWS secrets engine at aws/ or aws/prod/ or aws/dev/3.

  The statements that are not true about the secrets engines in Vault are:

  You can disable an existing secrets engine by using the vault secrets disable command or the sys/mounts API endpoint. When a secrets engine is disabled, all of its secrets are revoked and all of its data is deleted from the storage backend4.

  A secrets engine can be enabled at multiple paths, with a few exceptions, such as the system and identity secrets engines. Each secrets engine enabled at a different path is independent and isolated from others. For example, you can

  enable the KV secrets engine at kv/ and secret/ and they will not share any data3.

  References

  : 1(https://developer.hashicorp.com/vault/docs/secrets), 2(https://developer.hashicorp.com/ vault/docs/secrets), 3(https://developer.hashicorp.com/vault/docs/secrets), 4(https://develo per.hashicorp.com/vault/docs/secrets)

• Question 43:

  What is the Vault CLI command to query information about the token the client is currently using?

  A. vault lookup token

  B. vault token lookup

  C. vault lookup self

  D. vault self-lookup

  Correct Answer: B

  The Vault CLI command to query information about the token the client is currently using is vault token lookup. This command displays information about the token or accessor provided as an argument, or the locally authenticated token if no argument is given. The information includes the token ID, accessor, policies, TTL, creation time, and metadata. This command can be useful for debugging and auditing purposes, as well as for renewing or revoking tokens. References: token lookup - Command | Vault | HashiCorp Developer, Tokens | Vault | HashiCorp Developer

• Question 44:

  Examine the command below. Output has been trimmed.

  

  Which of the following statements describe the command and its output?

  A. Missing a default token policy

  B. Generated token's TTL is 60 hours

  C. Generated token is an orphan token which can be renewed indefinitely

  D. Configures the AppRole auth method with user specified role ID and secret ID

  Correct Answer: BC

  The command shown in the image is:

  vault token create -policy=approle -orphan -period=60h This command creates a new token with the following characteristics:

  It has the policy "approle" attached to it, which grants or denies access to certain paths and operations in Vault according to the policy rules. The policy can be defined by using the vault policy write command or the sys/policy API endpoint12.

  It is an orphan token, which means it has no parent token and it will not be revoked when its parent token is revoked. Orphan tokens can be useful for creating long- lived tokens that are not affected by the token hierarchy3. It has a period of

  60 hours, which means it has a renewable TTL of 60 hours. This means that the token can be renewed indefinitely as long as it does not go past the 60-hour mark from the last renewal time. The token's TTL will be reset to 60 hours upon

  each renewal. Periodic tokens are useful for creating tokens that have a fixed lifetime and can be easily revoked4.

  References: [1]1,

  [2]2, 3(https://developer.hashicorp.com/vault/docs/secrets/kv), 4(https://developer.hashicor p.com/vault/docs/secrets/kv)

• Question 45:

  What environment variable overrides the CLI's default Vault server address?

  A. VAULT_ADDR

  B. VAULT_HTTP_ADORESS

  C. VAULT_ADDRESS

  D. VAULT _HTTPS_ ADDRESS

  Correct Answer: B

  The environment variable VAULT_ADDR overrides the CLI's default Vault server address. The VAULT_ADDR environment variable specifies the address of the Vault server that is used to communicate with Vault from other applications or processes. By setting this variable, you can avoid hard-coding the Vault server address in your code or configuration files, and you can also use different addresses for different environments or scenarios. For example, you can use a local development server for testing purposes, and a production server for deploying your application. References: Commands (CLI) | Vault | HashiCorp Developer, Vault Agent - secrets as environment variables | Vault | HashiCorp Developer

• Question 46:

  Which of the following cannot define the maximum time-to-live (TTL) for a token?

  A. By the authentication method t natively provide a method of expiring credentials

  B. By the client system f credentials leaking

  C. By the mount endpoint configurationvery password used

  D. A parent token TTL e password rotation tools and practices

  E. System max TTL

  Correct Answer: B

  The maximum time-to-live (TTL) for a token is defined by the lowest value among the following factors:

  The authentication method that issued the token. Each auth method can have a default and a maximum TTL for the tokens it generates. These values can be configured by the auth method's mount options or by the auth method's specific

  endpoints.

  The mount endpoint configuration that the token is accessing. Each secrets engine can have a default and a maximum TTL for the leases it grants. These values can be configured by the secrets engine's mount options or by the secrets

  engine's specific endpoints.

  A parent token TTL. If a token is created by another token, it inherits the remaining TTL of its parent token, unless the parent token has an infinite TTL (such as the root token). A child token cannot outlive its parent token. System max TTL.

  This is a global limit for all tokens and leases in Vault. It can be configured by the system backend's max_lease_ttl option. The client system that uses the token cannot define the maximum TTL for the token, as this is determined by Vault's

  configuration and policies. The client system can only request a specific TTL for the token, but this request is subject to the limits imposed by the factors above.

  References: https://developer.hashicorp.com/vault/docs/concepts/tokens3, https://developer.hashicorp.com/vault/docs/concepts/lease2, https://developer.hashicorp.com/vault/docs/commands/auth/tune4, https://developer.hashicorp.com/

  vault/docs/commands/secrets/tune5, https://developer.hashicorp.com/vault/docs/commands/token/create6

• Question 47:

  What command creates a secret with the key "my-password" and the value "53cr3t" at path "my-secrets" within the KV secrets engine mounted at "secret"?

  A. vault kv put secret/my-secrets/my-password 53cr3t

  B. vault kv write secret/my-secrets/my-password 53cr3t

  C. vault kv write 53cr3t my-secrets/my-password

  D. vault kv put secret/my-secrets

  Correct Answer: A

  The vault kv put command writes the data to the given path in the K/V secrets engine. The command requires the mount path of the K/V secrets engine, the secret path, and the key-value pair to store. The mount path can be specified with

  the - mount flag or as part of the secret path. The key-value pair can be given as an argument or read from a file or stdin. The correct syntax for the command is:

  vault kv put -mount=secret my-secrets/my-password 53cr3t or vault kv put secret/my-secrets my-password=53cr3t The other options are incorrect because they use the deprecated vault kv write command, or they have the wrong order or

  format of the arguments.

  References:

  https://developer.hashicorp.com/vault/docs/commands/kv/put3, https://developer.hashicorp.com/vault/docs/commands/kv4

• Question 48:

  As a best practice, the root token should be stored in which of the following ways?

  A. Should be revoked and never stored after initial setup

  B. Should be stored in configuration automation tooling

  C. Should be stored in another password safe

  D. Should be stored in Vault

  Correct Answer: A

  The root token is the initial token created when initializing Vault. It has unlimited privileges and can perform any operation in Vault. As a best practice, the root token should be revoked and never stored after initial setup. This is because the root token is a single point of failure and a potential security risk if it is compromised or leaked. Instead of using the root token, Vault operators should create other tokens with appropriate policies and roles that allow them to perform their tasks. If a new root token is needed in an emergency, the vault operator generate-root command can be used to create one on-the- fly with the consent of a quorum of unseal key holders. References: Tokens | Vault | HashiCorp Developer, Generate root tokens using unseal keys | Vault | HashiCorp Developer

• Question 49:

  Where can you set the Vault seal configuration? Choose two correct answers.

  A. Cloud Provider KMS

  B. Vault CLI

  C. Vault configuration file

  D. Environment variables

  E. Vault API

  Correct Answer: CD

  The Vault seal configuration can be set in two ways: through the Vault configuration file or through environment variables. The Vault configuration file is a text file that contains the settings and options for Vault, such as the storage backend, the listener, the telemetry, and the seal. The seal stanza in the configuration file specifies the seal type and the parameters to use for additional data protection, such as using HSM or Cloud KMS solutions to encrypt and decrypt the root key. The seal configuration can also be set through environment variables, which will take precedence over the values in the configuration file. The environment variables are prefixed with VAULT_SEAL_ and followed by the seal type and the parameter name. For example, VAULT_SEAL_AWSKMS_REGION sets the region for the AWS KMS seal. References: Seals - Configuration | Vault | HashiCorp Developer, Environment Variables | Vault | HashiCorp Developer

• Question 50:

  Running the second command in the GUI CLI will succeed.

  

  A. True

  B. False

  Correct Answer: B

  Running the second command in the GUI CLI will fail. The second command is vault kv put secret/creds passcode=my-long-passcode. This command attempts to write a secret named creds with the value passcode=my-long-passcode to the secret path, which is the default path for the kv secrets engine. However, the kv secrets engine is not enabled at the secret path, as shown by the first command vault secrets list, which lists the enabled secrets engines and their paths. The only enabled secrets engine is the transit secrets engine at the transit path. Therefore, the second command will fail with an error message saying that no secrets engine is mounted at the path secret/. To make the second command succeed, the kv secrets engine must be enabled at the secret path or another path, using the vault secrets enable command. For example, vault secrets enable - path=secret kv would enable the kv secrets engine at the secret path. References: kv Command | Vault | HashiCorp Developer, vault secrets enable - Command | Vault | HashiCorp Developer