Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. HashiCorp
  5. HCVA0-003

HashiCorp HCVA0-003 Exam
HashiCorp Certified: Vault Associate (003) (Page 4 )

Updated On: 7-Feb-2026
Page 4 of 58
PDF with 285 Questions

Tommy has written an AWS Lambda function that will perform certain tasks for the organization when data has been uploaded to an S3 bucket. Security policies for the organization do not allow Tommy to hardcode any type of credential within the Lambda code or environment variables. However, Tommy needs to retrieve a credential from Vault to write data to an on-premises database.
What auth method should Tommy use in Vault to meet the requirements while not violating security policies?

  1. AWS
  2. Userpass
  3. Token
  4. AppRole

Answer(s): A

Explanation:

Comprehensive and Detailed in Depth
A: AWS auth uses IAM roles, avoiding hardcoded credentials. Correct for Lambda.
B: Userpass requires username/password, violating policy. Incorrect.
C: Token requires a pre-generated token, often hardcoded. Incorrect.
D: AppRole needs RoleID/SecretID, typically hardcoded. Incorrect.
Overall Explanation from Vault Docs:
"The AWS auth method provides an automated mechanism to retrieve a Vault token for IAM principals... no manual credential provisioning required."


Reference:

https://developer.hashicorp.com/vault/docs/auth/aws#aws-auth-method



What command would have created the token displayed below? $ vault token lookup hvs.nNeZ2I64ALCxuO7dqQEJGPrO

Key: policies Value: [default dev], num_uses: 5, ttl: 767h59m49s

Key Value
--- -----
accessor mfvaVMFgOcXHIeqlRasroSOn creation_time 1604610457
creation_ttl 768h display_name token entity_id n/a expire_time 2024-12-07T16:07:37.7540672-05:00
explicit_max_ttl 0s id hvs.nNeZ2I64ALCxuO7dqQEJGPrO
issue_time 2024-11-05T16:07:37.7540672-05:00
meta <nil>
num_uses 5
orphan false path auth/token/create policies [default dev]
renewable true ttl 767h59m49s type service

  1. vault token create -policy=dev -use-limit=5
  2. vault token create -policy=dev -ttl=768h
  3. vault token create -policy=dev -policy=default -ttl=768h
  4. vault token create -policy=dev

Answer(s): A

Explanation:

Comprehensive and Detailed in Depth
A: Matches dev policy and num_uses=5. TTL is system default (768h). Correct.
B: Missing num_uses. Incorrect.
C: Adds default policy explicitly, not needed as it's implicit. Incorrect.
D: Missing num_uses. Incorrect.
Overall Explanation from Vault Docs:
"vault token create with -policy and -use-limit sets specific attributes... default policy is included implicitly."


Reference:

https://developer.hashicorp.com/vault/docs/commands/token/create#command-options



You've set up multiple Vault clusters, one on-premises intended to be the primary cluster, and the second cluster in AWS, which was deployed for performance replication. After enabling replication, developers complain that all the data they've stored in the AWS Vault cluster is missing.
What happened?

  1. There is a certificate mismatch after replication was enabled since Vault replication generates its own TLS certificates to ensure nodes are trusted entities
  2. All of the data on the secondary cluster was deleted after replication was enabled
  3. The data was automatically copied to the primary cluster after replication was enabled since all writes are always forwarded to the primary cluster
  4. The data was moved to a recovery path after replication was enabled. Use the vault secrets move command to move the data back to its intended location

Answer(s): B

Explanation:

Comprehensive and Detailed in Depth
A: Certificate issues don't delete data. Incorrect.
B: Performance replication wipes the secondary's data to sync with the primary. Correct.
C: Data isn't copied to the primary; replication is one-way. Incorrect.
D: No recovery path exists; data is wiped. Incorrect.
Overall Explanation from Vault Docs:
"When replication is enabled, all of the secondary's existing storage will be wiped... This is irrevocable."


Reference:

https://developer.hashicorp.com/vault/tutorials/enterprise/performance-replication



Based on the screenshot below, how many auth methods have been enabled on this Vault instance?

  1. 1
  2. 2
  3. 4
  4. 3

Answer(s): B

Explanation:

Comprehensive and Detailed in Depth
Token is enabled by default and cannot be disabled.
Userpass is explicitly enabled.
Total: 2 auth methods.
Overall Explanation from Vault Docs:
"Tokens are the default auth method... Additional methods like userpass increase the count."


Reference:

https://developer.hashicorp.com/vault/docs/concepts/tokens



Given the following policy, which command below would not result in a permission denied error (select two)?
path "secret/*" { capabilities = ["create", "update"] allowed_parameters = { "student" = ["steve", "frank", "jamie", "susan", "gerry", "damien"] } }
path "secret/apps/*" { capabilities = ["read"] }
path "secret/apps/results" { capabilities = ["deny"] }

  1. vault kv put secret/apps/results student03=practice
  2. vault kv put secret/apps/app01 student=bryan
  3. vault kv put secret/common/results student=frank
  4. vault kv get secret/apps/api_key

Answer(s): C,D

Explanation:

Comprehensive and Detailed in Depth
A: Denied by secret/apps/results deny policy. Incorrect.
B: secret/apps/app01 only allows read, not create. Incorrect.
C: secret/common/results allows create with student=frank (allowed value). Correct.
D: secret/apps/api_key allows read. Correct.
Overall Explanation from Vault Docs:
"deny overrides any allow... allowed_parameters restricts values."


Reference:

https://developer.hashicorp.com/vault/docs/concepts/policies#parameter-constraints






Post your Comments and Discuss HashiCorp HCVA0-003 exam prep with other Community members:

Join the HCVA0-003 Discussion