»About the Certification Exam
Visit the HashiCorp Cloud Engineer Certification page for information on the exam and to sign up.
The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with open source HashiCorp Vault. Candidates will be best prepared for this exam if they have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may also be sufficient. This person understands what enterprise features exist and what can and cannot be done using the open source offering.
»Prerequisites
- Basic terminal skills
- Basic understanding of on-premise or cloud architecture
- Basic level of security understanding
To learn more about the exam, visit the HashiCorp Product Certifications page.
»Preparing for the Exam
Below are a study tutorial, sample exam questions, and a review guide. While much of the information in the study and review guides are the same, they are presented differently and have different use cases. Use the study guide if you want to study all the exam objectives. Use the review guide if you already have Vault experience and/or training and want to pick and choose which objectives to review before taking the exam. The sample questions give you a feel for the type and format of the exam.
»Study Guide
Here you will find links to Vault documentation and tutorials that cover the HashiCorp Certified: Vault Associate exam objectives. The intent is to read, or follow each link in the order listed.
»Vault Fundamentals
Objectives covered: 1a-c, 2b-c, 3a-g, 4a-c, 5a, 6a-f, 7a-e, 8a-b, 9a, 9c, 9g, 9i, 9k
You will be tested on your knowledge of Vault fundamentals which include Vault architecture, seal/unseal Vault, and how to authenticate with Vault. Do the following tasks to ensure that you understand the Vault core concepts.
- Read the Introduction to Vault documentation
- Read the 11 topics under the Vault Concepts documentation and the page about auth methods
- Complete all tutorials in the Vault Getting Started collection.
- Read the Overview section of the Vault Commands (CLI) documentation
»Access Management
Objectives covered: 2a-d, 3a-b, 3f-g, 6c, 7c, 9d-f
Vault policies allow you to control access to secrets managed by Vault. You will be tested to see if you understand Vault policy syntax and the basic commands that manage policies. Every Vault client (human users, applications, containers, etc.) must have a valid token to send requests to Vault. Do the following tasks to make sure you understand the basics of access management operations.
- Read the Vault Agent documentation
- Follow these 5 tutorials from the Access Management learning track:
»Secrets Management
Objectives covered: 4a-c, 5a-b, 5d, 6d-e, 7d-e, 9j-k
The secrets engines are responsible for managing secrets; therefore, they are a critical part of the Vault. You will be tested on your knowledge of operating and managing secrets engines. Do the following tasks to ensure that you understand and can apply basic tasks associated with managing secrets.
- Browse the Secrets Engines section of the Vault documentation focusing on:
- Review the Secrets Management collection paying special attention to these 4 tutorials:
- Read the content at whitepaper from the Vault product Use Cases page. To test your understanding of Vault, some scenario-based questions will be asked.
»Data Encryption
Objectives covered: 5c, 10a-c
Data encryption is one of the core Vault use cases. You will be tested on your knowledge of Vault providing encryption as a service (EaaS) in transit. Do the following tasks to ensure that you have a good understanding of the EaaS use case as well as its basic functionality.
- Read the Transit section of the Secrets Engine documentation to learn its characteristics
- Follow these Data Encryption tutorials to learn its basic operation:
»Vault Deployment Architecture
Objectives covered: 9b-c, 9g-h
With Vault as your single source of secrets, it is important to understand the production deployment basics. You will be tested on your knowledge of Vault reference architecture as well as basic Vault operational tasks. Your awareness of the Vault Enterprise replication concept will be tested as well. Do the following tasks to ensure that you have a good understanding of deploying Vault in production.
- Read the Architecture section of the documentation
- Follow the Vault Reference Architecture guide
- Familiarize yourself with the Vault Enterprise features—especially Replication—by reading the documentation. Some scenario-based questions will be asked.
- Look over the [Enterprise] Setting up Performance Replication tutorial to be aware of Enterprise features to scale Vault
»Sample Exam Questions
The exam consists of multiple choice, multiple answer, true/false, and other question types. Below are some examples so you can familiarize yourself with the exam format.
»1) When Vault is sealed, it can access the physical storage but cannot read the data because it does not know how to decrypt them.
✅ Correct: True
❌ Incorrect: False
»2) Batch tokens can be renewed indefinitely.
❌ Incorrect: True
✅ Correct: False
»3) Which statement is true about an orphan token?
✅ Correct: It does not expire when its parent does
❌ Incorrect: It is not persisted
❌ Incorrect: It does not have a max time-to-live (TTL)
❌ Incorrect: It has a use limit
»4) Which path will the following policy allow?
path "kv/+/team_*" {
capabilities = [ "read" ]
}
✅ Correct: kv/us-west/team_edu
❌ Incorrect: kv/team_edu
❌ Incorrect: kv/us-west/team
❌ Incorrect: kv/us-west/ca/team_edu
»5) What is true of Vault tokens? Choose TWO correct answers.
✅ Correct: Vault tokens are generated by every authentication method login
✅ Correct: Vault tokens are the core method for authentication in Vault
❌ Incorrect: Vault tokens are required for every Vault call
❌ Incorrect: Vault token IDs always begin with "s." such as s.E7rOurS2n7m2Dt5409jWxR87
»6) Which statements correctly describe the command below. Choose TWO correct answers.
vault write transit/decrypt/password \
ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==
✅ Correct: Returns base64-encoded plaintext
✅ Correct: Decrypts the ciphertext if the token permits
❌ Incorrect: Returns an error due to missing encryption key name
❌ Incorrect: Returns the ciphertext
❌ Incorrect: Requires sudo
capability on the transit/decrypt/password
path
»7) Drag the red star to the place on the page you would click to view the list of available Vault-created encryption keys.
»Review Guide
Here is a direct mapping of each HashiCorp Certified: Vault Associate exam objective to where it is covered in HashiCorp's documentation or tutorial. This provides experienced exam candidates a place to review just the objectives they need extra help with before taking the exam.
1 | Compare authentication methods | Documentation | Tutorial |
1a | Describe authentication methods | Authentication | Authentication |
1b | Choose an authentication method based on use case | Authentication | AppRole Pull Authentication - Authentication |
1c | Differentiate human vs. system auth methods | Authentication | AppRole Pull Authentication - Authentication |
2 | Create Vault policies | Documentation | Tutorial |
2a | Illustrate the value of Vault policy | Policies | Vault Policies |
2b | Describe Vault policy syntax: path | Policy Syntax | Vault Policies– Write ACL policies in HCL format |
2c | Describe Vault policy syntax: capabilities | Capabilities | Vault Policies– Write ACL policies in HCL format |
2d | Craft a Vault policy based on requirements | Vault Policies– Policy requirements | |
3 | Assess Vault tokens | Documentation | Tutorial |
3a | Describe Vault token | Tokens | Tokens |
3b | Differentiate between service and batch tokens. Choose one based on use case | Tokens | Tokens |
3c | Describe root token uses and lifecycle | Root Tokens | |
3d | Define token accessors | Token Accessors | |
3e | Explain time-to-live | Token Accessors | Service Token Lifecycle |
3f | Explain orphaned tokens | Token Hierarchies and Orphan Tokens | Tokens– Orphan tokens |
3g | Create tokens based on need | Tokens | |
4 | Manage Vault leases | Documentation | Tutorial |
4a | Explain the purpose of a lease ID | Lease, Renew, and Revoke | Secrets as a Service: Dynamic Secrets |
4b | Renew leases | Lease, Renew, and Revoke | Secrets as a Service: Dynamic Secrets |
4c | Revoke leases | Lease, Renew, and Revoke | Secrets as a Service: Dynamic Secrets |
5 | Compare and configure Vault secrets engines | Documentation | Tutorial |
5a | Choose a secret method based on use case | Secrets Engines | |
5b | Contrast dynamic secrets vs. static secrets and their use cases | Use Case – Secrets Management | |
5c | Define transit engine | Transit Secrets Engine | Encryption as a Service: Transit Secrets Engine |
5d | Define secrets engines | Secrets Engines – Overview | |
6 | Utilize Vault CLI | Documentation | Tutorial |
6a | Authenticate to Vault | Authentication | Authentication |
6b | Configure authentication methods | Authentication | |
6c | Configure Vault policies | Policies Vault Policies | |
6d | Access Vault secrets | Secrets Engines Secrets Management Learning Track | |
6e | Enable Secret engines | Secrets Engines Secrets Management Learning Track | |
6f | Configure environment variables | Environment Variables | |
7 | Utilize Vault UI | Documentation | Tutorial |
7a | Authenticate to Vault | AppRole Pull Authentication | |
7b | Configure authentication methods | AppRole Pull Authentication | |
7c | Configure Vault policies | Vault Policies | |
7d | Access Vault secrets | Secrets Management Learning Track | |
7e | Enable Secret engines | Secrets Management Learning Track | |
8 | Be aware of the Vault API | Documentation | Tutorial |
8a | Authenticate to Vault via Curl | API – Auth Methods | |
8b | Access Vault secrets via Curl | API – Secrets Engines | |
9 | Explain Vault architecture | Documentation | Tutorial |
9a | Describe the encryption of data stored by Vault | Introduction to Vault | |
9b | Describe cluster strategy | Vault Reference Architecture | |
9c | Describe storage backends | Architecture | Deploy Vault |
9d | Describe the Vault agent | Vault Agent | Vault Agent with AWS |
9e | Describe secrets caching | Vault Agent | Vault Agent Caching |
9f | Be aware of identities and groups | Identity: Entities and Groups | |
9g | Describe Shamir secret sharing and unsealing | Deploy Vault – Seal/Unseal | |
9h | Be aware of replication | Vault Enterprise Replication | [Enterprise] Setting up Performance Replication |
9i | Describe seal/unseal | Deploy Vault – Seal/Unseal | |
9j | Explain response wrapping | Response Wrapping | Cubbyhole Response Wrapping |
9k | Explain the value of short-lived, dynamically generated secrets | Secrets as a Service: Dynamic Secrets Dynamic Secrets | |
10 | Explain encryption as a service | Documentation | Tutorial |
10a | Configure transit secret engine | Encryption as a Service: Transit Secrets Engine | |
10b | Encrypt and decrypt secrets | Encryption as a Service: Transit Secrets Engine | |
10c | Rotate the encryption key | Encryption as a Service: Transit Secrets Engine |