50 vault certification Practice Questions: Question Bank 2025

A Vault cluster is deployed with integrated storage (Raft). One node is elected leader and others are followers. What is the primary responsibility of the leader in this setup?

You need an authentication method for human users that supports a username/password workflow and can enforce multi-factor authentication via an external identity provider. Which auth method is typically the best fit?

A developer accidentally stored an API key in a KV v2 secret. They removed the key from the latest version, but security requires that the old value no longer be retrievable from Vault. What should an operator do?

A team wants applications to generate short-lived database credentials dynamically instead of using static passwords stored in configuration files. Which Vault secrets engine capability directly supports this requirement?

A Vault policy includes the stanza below: path "secret/data/payments/*" { capabilities = ["read"] } A client using this policy gets a 403 when running "vault kv get secret/payments" (KV v2). What is the most likely cause?

A security team wants to reduce risk by ensuring Vault tokens used by applications cannot be used to create additional child tokens. Which token property should be set when creating tokens for these apps?

A Vault agent is configured with Auto-Auth to log in via AppRole and write the resulting token to a sink file. After some time, the application begins receiving permission errors because the token expires. What is the best fix?

An operator enables the Transit secrets engine and wants to ensure Vault never sees plaintext application data at rest, while still allowing apps to encrypt/decrypt data. What is the correct description of what Transit provides?

A company uses Vault namespaces to separate teams. Team A creates a policy and a token in their namespace and attempts to use that token to access secrets in Team B’s namespace. Access is denied even though the policy names match. Why?

You are troubleshooting a Vault cluster where clients intermittently receive "permission denied" when calling a secrets engine endpoint. Vault audit logs show requests arriving with valid tokens, but the requests sometimes target different nodes. Which configuration issue is the MOST likely cause in an HA cluster?

An application team wants to store a single API key and retrieve it unchanged over time. They do not need automatic rotation or per-request credentials. Which Vault secrets engine best fits this requirement?

A Vault operator sees a token with the properties: renewable=true, period=30m, and no explicit TTL. What behavior should the operator expect if the token is renewed regularly?

A security team wants to ensure a Vault token cannot create child tokens. Which token property should be set?

A team is migrating from local development to production. In production they want Vault to use a highly available backend and allow multiple Vault nodes to coordinate leadership. Which storage configuration best meets this requirement?

A Kubernetes workload authenticates to Vault using the Kubernetes auth method. Authentication succeeds, but Vault denies access to read a secret at 'kv/data/payments'. What is the most likely cause?

An organization uses the AppRole auth method for a legacy service. Security wants to reduce the risk of secret_id theft being reused. Which AppRole setting best addresses this by limiting reuse of a SecretID?

A platform team wants developers to be able to list available secret keys under 'kv/' but only read the values for 'kv/data/team-a/*'. Which policy capability is required to allow listing without granting read access to values?

A service uses Vault Agent with auto-auth to obtain tokens and write them to a sink file. The service occasionally fails because it reads the token file while Vault Agent is rotating it. What is the best practice to avoid partial reads during token rotation?

A security engineer creates a policy allowing access to 'kv/data/prod/*' but users can still read secrets under 'kv/data/prod/payments'. The engineer realizes there is also a policy attached granting broader access. Which Vault policy evaluation rule explains why access is still allowed?

A Vault cluster is configured with performance replication between two datacenters. An operator tries to enable a new secrets engine on the secondary cluster and receives an error indicating the operation is not permitted. What is the correct explanation?

You enabled the Kubernetes auth method and a pod can authenticate successfully, but any attempt to read secrets returns "permission denied". The role exists and the service account/namespace mapping is correct. What is the MOST likely missing configuration?

Your security team wants database credentials to be created on demand with automatic expiration, rather than storing static usernames/passwords. Which Vault secrets engine best fits this requirement?

A Vault operator needs to temporarily stop new client traffic to a standby node and verify it will not serve requests unless it becomes active. What feature provides this behavior by default in an HA deployment?

A team is writing a policy for the KV v2 secrets engine mounted at "secret/". They want to allow reading the secret at path "secret/app/config". Which policy path is correct?

A Vault token was created with a 1-hour TTL and marked as renewable. After 55 minutes, a client attempts to renew it and receives an error indicating it cannot be renewed further. Which setting MOST likely caused this?

You want applications to authenticate to Vault using their cloud identity without distributing long-lived credentials. Which approach best matches this goal?

A team uses the Transit secrets engine for encryption. They need to ensure that ciphertext can be decrypted only if it was encrypted with the same key and the same additional contextual value provided by the application (so stolen ciphertext is less useful). Which Transit feature supports this?

A policy is intended to allow a user to list all secrets under "secret/app/" (KV v1) but not read the secret values. Which capability should be granted on the appropriate path?

You are designing an onboarding process where an external system should create child tokens for applications, but you do NOT want those child tokens to remain valid if the external system's token is revoked. Which token behavior should you avoid to meet this requirement?

After enabling audit logging, you notice sensitive values are still appearing in the audit device output for some requests. You need to reduce exposure of secrets in logs while preserving useful request context. What is the BEST action?

A team wants applications to fetch secrets without storing any long-lived credentials. They run workloads in Kubernetes and want Vault to authenticate pods based on their service account identity. Which auth method best fits this requirement?

Your security team wants to reduce risk from accidental writes by ensuring a set of application tokens can only read secrets and never create, update, or delete them. Which policy capability should be granted on the relevant paths?

A developer reports that after enabling the KV v2 secrets engine at path "secret/", their script calling "vault kv get secret/myapp" fails because it tries to read from "secret/myapp" using the HTTP API directly. What is the most likely cause?

You are designing a highly available Vault cluster. To allow any node to serve client requests while maintaining a single active node for writes, what mechanism coordinates leadership in an HA deployment?

A platform team wants developers to request database credentials that expire automatically and are unique per application instance. Which Vault feature should they implement?

A token was created with a 1-hour TTL and is renewable. An application calls Vault every 10 minutes and wants the token to stay valid as long as the app is healthy, but to expire if the app stops renewing. Which token type best matches this behavior?

A team uses the AWS auth method with IAM principals. They want each authenticated workload to receive only its own policy set without relying on manually created Vault entities. Which approach is recommended?

A policy grants access to path "secret/data/payments/*" with capabilities ["read"]. A user can read "secret/data/payments/api" but gets a permission denied when attempting to list available keys under "secret/metadata/payments". What is the most likely fix?

Your organization uses Vault namespaces. A script authenticates successfully to a child namespace, but subsequent secret reads fail with "permission denied" even though the policy exists in that child namespace. The token was created in the root namespace and then reused. What is the most likely reason?

A company wants to encrypt application data at rest using Vault while ensuring Vault never stores the plaintext and that applications can perform encryption/decryption operations via an API. Which secrets engine should be used, and what key behavior is most relevant?

A Vault operator wants to quickly verify that a standby node is healthy and can serve requests if it becomes active. Which endpoint is most appropriate for this check?

A security engineer wants to prevent applications from using their Vault token indefinitely if it is accidentally leaked. Which token property best limits the maximum lifetime regardless of renewals?

An application needs to generate short-lived AWS credentials from Vault on demand without storing long-term IAM keys in the app. Which type of secrets engine should be used?

A team enables the Kubernetes auth method and configures it, but pods still get permission denied when reading secrets. The auth login succeeds and returns a token. What is the most likely missing configuration?

You need a Vault token for a CI job that should NOT allow creation of child tokens that outlive the job, and should also avoid leaving behind a token tree if the job token is revoked. Which token type is the best fit?

A company uses Vault namespaces (Enterprise). A policy in the parent namespace should allow reading a shared secret that lives in a child namespace. What must be true for this to work?

A team is migrating an application from the KV v1 secrets engine to KV v2 at the same mount path. After enabling KV v2, the app’s reads start failing with 404 errors even though the secret exists. What is the most likely cause?

A Vault cluster uses integrated storage (Raft). One node was down during an incident. After it comes back, it should rejoin and catch up automatically. Which statement best describes how this works?

An operator wants to rotate the active encryption key used to protect data in the storage backend without changing the seal type. Which operation is designed for this purpose?

An organization wants developers to authenticate to Vault using their existing OIDC identity provider. They also want Vault policies to be assigned based on OIDC group membership. Which Vault feature best supports mapping external groups to Vault policies?