April 6 & 7
Learn about Vault, Consul, & more at HashiDays Sydney in Australia Register Now

Product Certification Exam Prep

Vault Associate Certification Exam Review

About the Certification Exam

The Vault Associate certification is for security, IT, or DevOps professionals who know the basic concepts, skills, and use cases associated with open source HashiCorp Vault. Qualified candidates may not have used Vault in production, but they have performed the tasks listed in the objectives in at least a personal demo environment. This person understands what enterprise features exist and what can and cannot be done using the open source offering.


  • Basic terminal skills
  • Basic understanding of on-premise or cloud architecture
  • Basic level of security understanding

To learn more about the exam, visit the HashiCorp Product Certifications page.

Preparing for the Exam

Below are both a study guide and a review guide. While much of the information in these two guides are the same, they are presented differently for different uses. Use the study guide if you want to study all the exam objectives. Use the review guide if you already have Vault experience and/or training and want to pick and choose which objectives to review before taking the exam.

Study Guide

Here you will find links to Vault documentation, training, and Katacoda scenarios that cover the HashiCorp Certified: Vault Associate exam objectives. The intent is to read, or follow each link in the order listed.

Vault Fundamentals

Objectives covered: 1a-c, 2b-c, 3a-g, 4a-c, 5a, 6a-f, 7a-e, 8a-b, 9a, 9c, 9g, 9i, 9k

You will be tested on your knowledge of Vault fundamentals which include Vault architecture, seal/unseal Vault, and how to authenticate with Vault. Do the following tasks to ensure that you understand the Vault core concepts.

Access Management

Objectives covered: 2a-d, 3a-b, 3f-g, 6c, 7c, 9d-f

Vault policies allow you to control access to secrets managed by Vault. You will be tested to see if you understand Vault policy syntax and the basic commands that manage policies. Every Vault client (human users, applications, containers, etc.) must have a valid token to send requests to Vault. Do the following tasks to make sure you understand the basics of access management operations.

Secrets Management

Objectives covered: 4a-c, 5a-b, 5d, 6d-e, 7d-e, 9j-k

The secrets engines are responsible for managing secrets; therefore, they are a critical part of the Vault. You will be tested on your knowledge of operating and managing secrets engines. Do the following tasks to ensure that you understand and can apply basic tasks associated with managing secrets.

Data Encryption

Objectives covered: 5c, 10a-c

Data encryption is one of the core Vault use cases. You will be tested on your knowledge of Vault providing encryption as a service (EaaS) in transit. Do the following tasks to ensure that you have a good understanding of the EaaS use case as well as its basic functionality.

Vault Deployment Architecture

Objectives covered: 9b-c, 9g-h

With Vault as your single source of secrets, it is important to understand the production deployment basics. You will be tested on your knowledge of Vault reference architecture as well as basic Vault operational tasks. Your awareness of the Vault Enterprise replication concept will be tested as well. Do the following tasks to ensure that you have a good understanding of deploying Vault in production.

Review Guide

Here is a direct mapping of each HashiCorp Certified: Vault Associate exam objective to where it is covered in HashiCorp's documentation, training, or Katacoda scenario. This provides experienced exam candidates a place to review just the objectives they need extra help with before taking the exam.

1Compare authentication methodsDocumentationGuideInteractive
1aDescribe authentication methodsAuthenticationAuthentication
1bChoose an authentication method based on use caseAuthenticationAuthentication
1cDifferentiate human vs. system auth methodsAuthenticationAuthentication
2Create Vault policiesDocumentationGuideInteractive
2aIllustrate the value of Vault policyVault Policies
2bDescribe Vault policy syntax: pathPolicy SyntaxVault Policies– Write ACL policies in HCL format
2cDescribe Vault policy syntax: capabilitiesCapabilitiesVault Policies– Write ACL policies in HCL format
2dCraft a Vault policy based on requirementsVault Policies– Policy requirements
3Assess Vault tokensDocumentationGuideInteractive
3aDescribe Vault tokenTokensTokens
3bDifferentiate between service and batch tokens.
Choose one based on use case
3cDescribe root token uses and lifecycleRoot Tokens
3dDefine token accessorsToken Accessors
3eExplain time-to-liveToken AccessorsAuthentication
3fExplain orphaned tokensToken Hierarchies and Orphan TokensTokens– Orphan tokens
3gCreate tokens based on needTokens
4Manage Vault leasesDocumentationGuideInteractive
4aExplain the purpose of a lease IDLease, Renew, and RevokeSecrets as a Service: Dynamic Secrets
4bRenew leasesLease, Renew, and RevokeSecrets as a Service: Dynamic Secrets
4cRevoke leasesLease, Renew, and RevokeSecrets as a Service: Dynamic Secrets
5Compare and configure Vault secrets enginesDocumentationGuideInteractive
5aChoose a secret method based on use caseSecrets Engines
5bContrast dynamic secrets vs. static secrets and their use casesUse Case – Secrets Management
5cDefine transit engineTransit Secrets EngineEncryption as a Service: Transit Secrets Engine
5dDefine secrets enginesSecrets Engines – Overview
6Utilize Vault CLIDocumentationGuideInteractive
6aAuthenticate to VaultAuthenticationVault Authentication
6bConfigure authentication methodsAuthenticationVault Authentication
6cConfigure Vault policiesPolicies

Vault Policies
Vault ACL Policies
6dAccess Vault secretsSecrets Engines

Secrets Management Learning Track
6eEnable Secret enginesSecrets Engines

Secrets Management Learning Track
6fConfigure environment variablesEnvironment Variables
7Utilize Vault UIDocumentationGuideInteractive
7aAuthenticate to VaultAppRole Pull AuthenticationVault Authentication
7bConfigure authentication methodsAppRole Pull AuthenticationVault Authentication
7cConfigure Vault policiesVault PoliciesVault ACL Policies
7dAccess Vault secretsSecrets Management Learning Track
7eEnable Secret enginesSecrets Management Learning Track
8Be aware of the Vault APIDocumentationGuideInteractive
8aAuthenticate to Vault via CurlAPI – Auth Methods
8bAccess Vault secrets via CurlAPI – Secrets Engines
9Explain Vault architectureDocumentationGuideInteractive
9aDescribe the encryption of data stored by VaultIntroduction to Vault
9bDescribe cluster strategyVault Reference Architecture
9cDescribe storage backendsArchitectureDeploy Vault
9dDescribe the Vault agentVault AgentVault Agent with AWSVault Agent
9eDescribe secrets cachingVault AgentVault Agent CachingVault Agent
9fBe aware of identities and groupsIdentity: Entities and GroupsVault Identity - Entities & Groups
9gDescribe Shamir secret sharing and unsealingDeploy Vault – Seal/UnsealVault Operations
9hBe aware of replication Vault Enterprise Replication[Enterprise] Setting up Performance Replication
9iDescribe seal/unsealDeploy Vault – Seal/Unseal
9jExplain response wrappingCubbyhole Response WrappingVault Secrets Engines - Cubbyhole
9kExplain the value of short-lived, dynamically generated secretsSecrets as a Service: Dynamic Secrets

Dynamic Secrets
10Explain encryption as a serviceDocumentationGuideInteractive
10aConfigure transit secret engineEncryption as a Service: Transit Secrets EngineVault Encryption as a Service
10bEncrypt and decrypt secretsEncryption as a Service: Transit Secrets EngineVault Encryption as a Service
10cRotate the encryption keyEncryption as a Service: Transit Secrets EngineVault Encryption as a Service