Virtual Event
Join us for the next HashiConf Digital October 12-15, 2020 Register for Free

Product Certification Exam Prep

Vault Associate Certification Exam Review

»About the Certification Exam

The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with open source HashiCorp Vault. Candidates will be best prepared for this exam if they have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may also be sufficient. This person understands what enterprise features exist and what can and cannot be done using the open source offering.


  • Basic terminal skills
  • Basic understanding of on-premise or cloud architecture
  • Basic level of security understanding

To learn more about the exam, visit the HashiCorp Product Certifications page.

»Preparing for the Exam

Below are a study guide, sample exam questions, and a review guide. While much of the information in the study and review guides are the same, they are presented differently and have different use cases. Use the study guide if you want to study all the exam objectives. Use the review guide if you already have Vault experience and/or training and want to pick and choose which objectives to review before taking the exam. The sample questions give you a feel for the type and format of the exam.

»Study Guide

Here you will find links to Vault documentation, training, and Katacoda scenarios that cover the HashiCorp Certified: Vault Associate exam objectives. The intent is to read, or follow each link in the order listed.

»Vault Fundamentals

Objectives covered: 1a-c, 2b-c, 3a-g, 4a-c, 5a, 6a-f, 7a-e, 8a-b, 9a, 9c, 9g, 9i, 9k

You will be tested on your knowledge of Vault fundamentals which include Vault architecture, seal/unseal Vault, and how to authenticate with Vault. Do the following tasks to ensure that you understand the Vault core concepts.

»Access Management

Objectives covered: 2a-d, 3a-b, 3f-g, 6c, 7c, 9d-f

Vault policies allow you to control access to secrets managed by Vault. You will be tested to see if you understand Vault policy syntax and the basic commands that manage policies. Every Vault client (human users, applications, containers, etc.) must have a valid token to send requests to Vault. Do the following tasks to make sure you understand the basics of access management operations.

»Secrets Management

Objectives covered: 4a-c, 5a-b, 5d, 6d-e, 7d-e, 9j-k

The secrets engines are responsible for managing secrets; therefore, they are a critical part of the Vault. You will be tested on your knowledge of operating and managing secrets engines. Do the following tasks to ensure that you understand and can apply basic tasks associated with managing secrets.

»Data Encryption

Objectives covered: 5c, 10a-c

Data encryption is one of the core Vault use cases. You will be tested on your knowledge of Vault providing encryption as a service (EaaS) in transit. Do the following tasks to ensure that you have a good understanding of the EaaS use case as well as its basic functionality.

»Vault Deployment Architecture

Objectives covered: 9b-c, 9g-h

With Vault as your single source of secrets, it is important to understand the production deployment basics. You will be tested on your knowledge of Vault reference architecture as well as basic Vault operational tasks. Your awareness of the Vault Enterprise replication concept will be tested as well. Do the following tasks to ensure that you have a good understanding of deploying Vault in production.

»Sample Exam Questions

The exam consists of multiple choice, multiple answer, true/false, and other question types. Below are some examples so you can familiarize yourself with the exam format.

»1) When Vault is sealed, it can access the physical storage but cannot read the data because it does not know how to decrypt them.

✅ Correct: True
❌ Incorrect: False

»2) Batch tokens can be renewed indefinitely.

❌ Incorrect: True
✅ Correct: False

»3) Which statement is true about an orphan token?

✅ Correct: It does not expire when its parent does
❌ Incorrect: It is not persisted
❌ Incorrect: It does not have a max time-to-live (TTL)
❌ Incorrect: It has a use limit

»4) Which path will the following policy allow?

path "kv/+/team_*" {
    capabilities = [ "read" ]

✅ Correct: kv/us-west/team_edu
❌ Incorrect: kv/team_edu
❌ Incorrect: kv/us-west/team
❌ Incorrect: kv/us-west/ca/team_edu

»5) What is true of Vault tokens? Choose TWO correct answers.

✅ Correct: Vault tokens are generated by every authentication method login
✅ Correct: Vault tokens are the core method for authentication in Vault
❌ Incorrect: Vault tokens are required for every Vault call
❌ Incorrect: Vault token IDs always begin with "s." such as s.E7rOurS2n7m2Dt5409jWxR87

»6) Which statements correctly describe the command below. Choose TWO correct answers.

vault write transit/decrypt/password \

✅ Correct: Returns base64-encoded plaintext
✅ Correct: Decrypts the ciphertext if the token permits
❌ Incorrect: Returns an error due to missing encryption key name
❌ Incorrect: Returns the ciphertext
❌ Incorrect: Requires sudo capability on the transit/decrypt/password path

»7) Drag the red star to the place on the page you would click to view the list of available Vault-created encryption keys.

Hotspot question being answered by dragging the star to the correct place

»Review Guide

Here is a direct mapping of each HashiCorp Certified: Vault Associate exam objective to where it is covered in HashiCorp's documentation, training, or Katacoda scenario. This provides experienced exam candidates a place to review just the objectives they need extra help with before taking the exam.

1Compare authentication methodsDocumentationTutorialHands-on Lab
1aDescribe authentication methodsAuthenticationAuthentication
1bChoose an authentication method based on use caseAuthenticationAppRole Pull Authentication - Authentication
1cDifferentiate human vs. system auth methodsAuthenticationAppRole Pull Authentication - Authentication
2Create Vault policiesDocumentationTutorialHands-on Lab
2aIllustrate the value of Vault policyPoliciesVault Policies
2bDescribe Vault policy syntax: pathPolicy SyntaxVault Policies– Write ACL policies in HCL format
2cDescribe Vault policy syntax: capabilitiesCapabilitiesVault Policies– Write ACL policies in HCL format
2dCraft a Vault policy based on requirementsVault Policies– Policy requirementsVault ACL Policies
3Assess Vault tokensDocumentationTutorialHands-on Lab
3aDescribe Vault tokenTokensTokens
3bDifferentiate between service and batch tokens.
Choose one based on use case
3cDescribe root token uses and lifecycleRoot Tokens
3dDefine token accessorsToken Accessors
3eExplain time-to-liveToken AccessorsService Token Lifecycle
3fExplain orphaned tokensToken Hierarchies and Orphan TokensTokens– Orphan tokens
3gCreate tokens based on needTokensVault Token Lifecycle
4Manage Vault leasesDocumentationTutorialHands-on Lab
4aExplain the purpose of a lease IDLease, Renew, and RevokeSecrets as a Service: Dynamic Secrets
4bRenew leasesLease, Renew, and RevokeSecrets as a Service: Dynamic Secrets
4cRevoke leasesLease, Renew, and RevokeSecrets as a Service: Dynamic Secrets
5Compare and configure Vault secrets enginesDocumentationTutorialHands-on Lab
5aChoose a secret method based on use caseSecrets Engines
5bContrast dynamic secrets vs. static secrets and their use casesUse Case – Secrets Management
5cDefine transit engineTransit Secrets EngineEncryption as a Service: Transit Secrets Engine
5dDefine secrets enginesSecrets Engines – Overview
6Utilize Vault CLIDocumentationTutorialHands-on Lab
6aAuthenticate to VaultAuthenticationAuthenticationVault Authentication
6bConfigure authentication methodsAuthenticationVault Authentication
6cConfigure Vault policiesPolicies

Vault Policies
Vault ACL Policies
6dAccess Vault secretsSecrets Engines

Secrets Management Learning Track
6eEnable Secret enginesSecrets Engines

Secrets Management Learning Track
Versioned K/V
6fConfigure environment variablesEnvironment Variables
7Utilize Vault UIDocumentationTutorialHands-on Lab
7aAuthenticate to VaultAppRole Pull AuthenticationVault Authentication
7bConfigure authentication methodsAppRole Pull AuthenticationVault Authentication
7cConfigure Vault policiesVault PoliciesVault ACL Policies
7dAccess Vault secretsSecrets Management Learning Track
7eEnable Secret enginesSecrets Management Learning TrackVersioned K/V
8Be aware of the Vault APIDocumentationTutorialHands-on Lab
8aAuthenticate to Vault via CurlAPI – Auth Methods
8bAccess Vault secrets via CurlAPI – Secrets Engines
9Explain Vault architectureDocumentationTutorialHands-on Lab
9aDescribe the encryption of data stored by VaultIntroduction to Vault
9bDescribe cluster strategyVault Reference Architecture
9cDescribe storage backendsArchitectureDeploy Vault
9dDescribe the Vault agentVault AgentVault Agent with AWSVault Agent
9eDescribe secrets cachingVault AgentVault Agent CachingVault Agent
9fBe aware of identities and groupsIdentity: Entities and GroupsVault Identity - Entities & Groups
9gDescribe Shamir secret sharing and unsealingDeploy Vault – Seal/UnsealVault Operations
9hBe aware of replication Vault Enterprise Replication[Enterprise] Setting up Performance Replication
9iDescribe seal/unsealDeploy Vault – Seal/Unseal
9jExplain response wrappingResponse WrappingCubbyhole Response WrappingVault Secrets Engines - Cubbyhole
9kExplain the value of short-lived, dynamically generated secretsSecrets as a Service: Dynamic Secrets

Dynamic Secrets
10Explain encryption as a serviceDocumentationTutorialHands-on Lab
10aConfigure transit secret engineEncryption as a Service: Transit Secrets EngineVault Encryption as a Service
10bEncrypt and decrypt secretsEncryption as a Service: Transit Secrets EngineVault Encryption as a Service
10cRotate the encryption keyEncryption as a Service: Transit Secrets EngineVault Encryption as a Service