HashiCorp Certified: Vault Associate (003) Questions and Answers
200 questions organized by topic with detailed explanations
HashiCorp
VA-003
200 questions
9 topics
Updated May 2026Authentication methods
32 questions8 easy16 medium8 hard~15% of exam
A company wants employees to authenticate to Vault by using their enterprise directory accounts. Which auth method is th...A security architect wants the same user who logs in through two different auth methods to map back to one internal iden...An employee authenticates to Vault through LDAP, then the LDAP account is disabled in the external directory. What shoul...
Vault policies
24 questions5 easy12 medium7 hard~12% of exam
A team needs a token that can enumerate keys beneath a path without reading the secret values themselves. Which capabili...An administrator must manage auth method mounts under sys/auth. Which additional policy capability is required beyond or...A token receives one policy granting read access to a path and another policy applying deny to the same path. Which resu...
Vault tokens
32 questions8 easy16 medium8 hard~15% of exam
A workload uses a periodic token and renews it successfully before each period ends. What happens to the token TTL on ea...Which token type is non-renewable, has no accessor, and is designed to be lightweight for high-scale use cases?A security team wants to revoke a token without revealing the token ID to operators. Which token feature should they use...
Vault leases
16 questions4 easy8 medium4 hard~8% of exam
An operator requests a lease renewal with an increment of one hour. How should that increment be interpreted?A candidate compares a key-value secret and a database credential generated by Vault. Which statement is accurate?A security incident affects every temporary AWS credential issued from one Vault path. Which action revokes all of those...
Secrets engines
40 questions12 easy20 medium8 hard~20% of exam
One team asks whether a secrets engine mounted at one path can read raw storage data belonging to another secrets engine...An application needs temporary AWS IAM credentials issued by Vault for a limited time. Which secrets engine best fits th...A security architect wants to deliver a secret through an intermediary without exposing the actual secret material to th...
Encryption as a Service
8 questions1 easy4 medium3 hard~5% of exam
A team rotates a transit encryption key and still needs previously encrypted data to remain readable. Which statement is...A developer uses the transit secrets engine to encrypt application data. Where is the plaintext stored after encryption?A security team wants an almost untrusted process to move old transit ciphertext to the newest key version without ever ...
Vault architecture fundamentals
16 questions4 easy8 medium4 hard~8% of exam
A three-node Vault cluster using manual unseal is restarted for maintenance. What must operators do before the cluster i...A new operator asks what it means when Vault is sealed. Which answer is most accurate?A cluster uses auto-unseal and the team needs to perform an emergency root generation workflow later. Which key material...
Vault deployment architecture
24 questions7 easy12 medium5 hard~12% of exam
A primary cluster fails permanently and a DR secondary is promoted. What should application owners expect next?Which storage backend does HashiCorp recommend for most Vault use cases today?An architect wants the simplest self-managed deployment with no separate external storage cluster and one less network h...
Access management architecture
8 questions3 easy4 medium1 hard~5% of exam
A Kubernetes platform team wants a cluster-wide operator that watches custom resources and syncs Vault secrets into nati...An application team wants Vault authentication and token renewal handled outside the application code, and it also wants...A team wants auto-auth to preserve the original creation_path of a wrapped authentication token so clients can validate ...
All Questions
| # | Question | Topic | Difficulty |
|---|---|---|---|
| 1 | A three-node Vault cluster using manual unseal is restarted for maintenance. What must operators do ... | Vault architecture fundamentals | hard |
| 2 | A workload uses a periodic token and renews it successfully before each period ends. What happens to... | Vault tokens | medium |
| 3 | One team asks whether a secrets engine mounted at one path can read raw storage data belonging to an... | Secrets engines | hard |
| 4 | A new operator asks what it means when Vault is sealed. Which answer is most accurate? | Vault architecture fundamentals | medium |
| 5 | A company wants employees to authenticate to Vault by using their enterprise directory accounts. Whi... | Authentication methods | medium |
Sign in to see all 200 questions
Create a free account to browse all questions — completely free during our launch phase.
Ready to test your knowledge?
Take a full HashiCorp Certified: Vault Associate (003) practice test with timed exam simulation.
Start Practice Test