About the Certification Exam
The exams are currently available to HashiCorp employees and select partners. Visit the Product Certifications page to sign up to be notified about general release.
The Vault Associate certification is for security, IT, or DevOps professionals who know the basic concepts, skills, and use cases associated with open source HashiCorp Vault. Qualified candidates may not have used Vault in production, but they have performed the tasks listed in the objectives in at least a personal demo environment. This person understands what enterprise features exist and what can and cannot be done using the open source offering.
- Basic terminal skills
- Basic understanding of on-premise or cloud architecture
- Basic level of security understanding
To learn more about the exam, visit the HashiCorp Product Certifications page.
Preparing for the Exam
Below are both a study guide and a review guide. While much of the information in these two guides are the same, they are presented differently for different uses. Use the study guide if you want to study all the exam objectives. Use the review guide if you already have Vault experience and/or training and want to pick and choose which objectives to review before taking the exam.
Here you will find links to Vault documentation, training, and Katacoda scenarios that cover the HashiCorp Certified: Vault Associate exam objectives. The intent is to read, or follow each link in the order listed.
Objectives covered: 1a-c, 2b-c, 3a-g, 4a-c, 5a, 6a-f, 7a-e, 8a-b, 9a, 9c, 9g, 9i, 9k
You will be tested on your knowledge of Vault fundamentals which include Vault architecture, seal/unseal Vault, and how to authenticate with Vault. Do the following tasks to ensure that you understand the Vault core concepts.
- Read the Introduction to Vault documentation
- Read the 11 topics under the Vault Concepts documentation
- Follow the Vault Getting Started learning track. Do all 12 guides in this track
- Read the Overview section of the Vault Commands (CLI) documentation
- Do the Vault Authentication interactive scenario at Katacoda
Objectives covered: 2a-d, 3a-b, 3f-g, 6c, 7c, 9d-f
Vault policies allow you to control access to secrets managed by Vault. You will be tested to see if you understand Vault policy syntax and the basic commands that manage policies. Every Vault client (human users, applications, containers, etc.) must have a valid token to send requests to Vault. Do the following tasks to make sure you understand the basics of access management operations.
- Read the Vault Agent documentation
- Follow these 5 guides from the Access Management learning track:
- Do the following interactive scenarios at Katacoda to get familiar with basic CLI commands:
Objectives covered: 4a-c, 5a-b, 5d, 6d-e, 7d-e, 9j-k
The secrets engines are responsible for managing secrets; therefore, they are a critical part of the Vault. You will be tested on your knowledge of operating and managing secrets engines. Do the following tasks to ensure that you understand and can apply basic tasks associated with managing secrets.
- Browse the Secrets Engines section of the Vault documentation focusing on:
- Follow the Secrets Management learning track paying special attention to these 4 guides:
- Read the content at whitepaper from the Vault product Use Cases page. To test your understanding of Vault, some scenario-based questions will be asked.
- Do the Vault Secrets Engines - Cubbyhole interactive scenario at Katacoda to get familiar with response wrapping.
Objectives covered: 5c, 10a-c
Data encryption is one of the core Vault use cases. You will be tested on your knowledge of Vault providing encryption as a service (EaaS) in transit. Do the following tasks to ensure that you have a good understanding of the EaaS use case as well as its basic functionality.
- Read the Transit section of the Secrets Engine documentation to learn its characteristics
- Follow these Data Encryption guides to learn its basic operation:
- Do the Vault Encryption as a Service interactive scenario at Katacoda to get familiar with transit secrets engine CLI commands
Vault Deployment Architecture
Objectives covered: 9b-c, 9g-h
With Vault as your single source of secrets, it is important to understand the production deployment basics. You will be tested on your knowledge of Vault reference architecture as well as basic Vault operational tasks. Your awareness of the Vault Enterprise replication concept will be tested as well. Do the following tasks to ensure that you have a good understanding of deploying Vault in production.
- Read the Architecture section of the documentation
- Follow the Vault Reference Architecture guide
- Do the Vault Operations interactive scenario at Katacoda to get familiar with the basic Vault operation tasks
- Familiarize yourself with the Vault Enterprise features—especially Replication—by reading the documentation. Some scenario-based questions will be asked.
- Look over the [Enterprise] Setting up Performance Replication guide to be aware of Enterprise features to scale Vault
Here is a direct mapping of each HashiCorp Certified: Vault Associate exam objective to where it is covered in HashiCorp's documentation, training, or Katacoda scenario. This provides experienced exam candidates a place to review just the objectives they need extra help with before taking the exam.
|1||Compare authentication methods||Documentation||Guide||Interactive|
|1a||Describe authentication methods||Authentication||Authentication|
|1b||Choose an authentication method based on use case||Authentication||Authentication|
|1c||Differentiate human vs. system auth methods||Authentication||Authentication|
|2||Create Vault policies||Documentation||Guide||Interactive|
|2a||Illustrate the value of Vault policy||Vault Policies|
|2b||Describe Vault policy syntax: path||Policy Syntax||Vault Policies– Write ACL policies in HCL format|
|2c||Describe Vault policy syntax: capabilities||Capabilities||Vault Policies– Write ACL policies in HCL format|
|2d||Craft a Vault policy based on requirements||Vault Policies– Policy requirements|
|3||Assess Vault tokens||Documentation||Guide||Interactive|
|3a||Describe Vault token||Tokens||Tokens|
|3b||Differentiate between service and batch tokens. |
Choose one based on use case
|3c||Describe root token uses and lifecycle||Root Tokens|
|3d||Define token accessors||Token Accessors|
|3e||Explain time-to-live||Token Accessors||Authentication|
|3f||Explain orphaned tokens||Token Hierarchies and Orphan Tokens||Tokens– Orphan tokens|
|3g||Create tokens based on need||Tokens|
|4||Manage Vault leases||Documentation||Guide||Interactive|
|4a||Explain the purpose of a lease ID||Lease, Renew, and Revoke||Secrets as a Service: Dynamic Secrets|
|4b||Renew leases||Lease, Renew, and Revoke||Secrets as a Service: Dynamic Secrets|
|4c||Revoke leases||Lease, Renew, and Revoke||Secrets as a Service: Dynamic Secrets|
|5||Compare and configure Vault secrets engines||Documentation||Guide||Interactive|
|5a||Choose a secret method based on use case||Secrets Engines|
|5b||Contrast dynamic secrets vs. static secrets and their use cases||Use Case – Secrets Management|
|5c||Define transit engine||Transit Secrets Engine||Encryption as a Service: Transit Secrets Engine|
|5d||Define secrets engines||Secrets Engines – Overview|
|6||Utilize Vault CLI||Documentation||Guide||Interactive|
|6a||Authenticate to Vault||Authentication||Vault Authentication|
|6b||Configure authentication methods||Authentication||Vault Authentication|
|6c||Configure Vault policies||Policies |
|Vault ACL Policies|
|6d||Access Vault secrets||Secrets Engines |
Secrets Management Learning Track
|6e||Enable Secret engines||Secrets Engines |
Secrets Management Learning Track
|6f||Configure environment variables||Environment Variables|
|7||Utilize Vault UI||Documentation||Guide||Interactive|
|7a||Authenticate to Vault||AppRole Pull Authentication||Vault Authentication|
|7b||Configure authentication methods||AppRole Pull Authentication||Vault Authentication|
|7c||Configure Vault policies||Vault Policies||Vault ACL Policies|
|7d||Access Vault secrets||Secrets Management Learning Track|
|7e||Enable Secret engines||Secrets Management Learning Track|
|8||Be aware of the Vault API||Documentation||Guide||Interactive|
|8a||Authenticate to Vault via Curl||API – Auth Methods|
|8b||Access Vault secrets via Curl||API – Secrets Engines|
|9||Explain Vault architecture||Documentation||Guide||Interactive|
|9a||Describe the encryption of data stored by Vault||Introduction to Vault|
|9b||Describe cluster strategy||Vault Reference Architecture|
|9c||Describe storage backends||Architecture||Deploy Vault|
|9d||Describe the Vault agent||Vault Agent||Vault Agent with AWS||Vault Agent|
|9e||Describe secrets caching||Vault Agent||Vault Agent Caching||Vault Agent|
|9f||Be aware of identities and groups||Identity: Entities and Groups||Vault Identity - Entities & Groups|
|9g||Describe Shamir secret sharing and unsealing||Deploy Vault – Seal/Unseal||Vault Operations|
|9h||Be aware of replication||Vault Enterprise Replication||[Enterprise] Setting up Performance Replication|
|9i||Describe seal/unseal||Deploy Vault – Seal/Unseal|
|9j||Explain response wrapping||Cubbyhole Response Wrapping||Vault Secrets Engines - Cubbyhole|
|9k||Explain the value of short-lived, dynamically generated secrets||Secrets as a Service: Dynamic Secrets |
|10||Explain encryption as a service||Documentation||Guide||Interactive|
|10a||Configure transit secret engine||Encryption as a Service: Transit Secrets Engine||Vault Encryption as a Service|
|10b||Encrypt and decrypt secrets||Encryption as a Service: Transit Secrets Engine||Vault Encryption as a Service|
|10c||Rotate the encryption key||Encryption as a Service: Transit Secrets Engine||Vault Encryption as a Service|