VA-002-P HashiCorp Certified: Vault Associate Free Practice Exam Questions (2025 Updated)

The command format for enabling Vault features is vault , therefore the correct answer would be vault secrets enable aws

Storage backends are not trusted by Vault and are only expected to render durability. The storage backend is configured when starting the Vault server.

Reference link:- https://www.vaultproject.io/docs/internals/architecture

The encryption key used to encrypt the plaintext is regarded as a data key. This data key needs to be protected so that your encrypted data cannot be decrypted comfortably by an unauthorized party. In this case, data has been encrypted by specifying the keyring name creditcard.

The HTTP request is a GET which corresponds to a read capability. Thus, to grant access to generate database credentials, the policy would grant read access on the appropriate path.

Replication is not available in open-source versions of Vault. It is an enterprise feature.

The kv delete command is like a soft delete which deletes the data for the provided path in the key/value secrets engine. If using K/V Version 2, its versioned data will not be fully removed, but marked as deleted and will no longer be available for normal get requests.

The kv destroy command permanently removes the specified versions' data from the key/value secrets engine. If no key exists at the path, no action is taken. It does not deletes all versions of a secret.

The kv metadata delete command deletes all versions and metadata for the provided key.

Everything in Vault is path-based including policies. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.

Policies are deny by default, so an empty policy grants no permission in the system.

Terraform is a cloud-agnostic tool, and therefore isn't limited to a single cloud provider, such as AWS CloudFormation or Azure Resource Manager. Terraform supports all of the major cloud providers and allows IT organizations to focus on learning a single tool for deploying its infrastructure, regardless of what platform it's being deployed on.

When tokens are created, a token accessor is also created and returned. This accessor is a value that acts as a reference to a token and can only be used to perform limited actions:

- Lookup a token's properties (not including the actual token ID)

- Lookup a token's capabilities on a path

- Renew the token

- Revoke the token

Reference link:- https://www.vaultproject.io/docs/concepts/tokens#token-accessors

The terraform state command is used for advanced state management. Rather than modify the state directly, the terraform state commands can be used in many cases instead.

https://www.terraform.io/docs/commands/state/index.html

The terraform taint command manually marks a Terraform-managed resource as tainted, forcing it to be destroyed and recreated on the next apply. This command will not modify infrastructure but does modify the state file in order to mark a resource as tainted. Once a resource is marked as tainted, the next plan will show that the resource will be destroyed and recreated. The next terraform apply will

implement this change.

count is a reserved word. The count parameter on resources can simplify configurations and let you scale resources by simply incrementing a number.

https://www.terraform.io/intro/examples/count.html

You do not need to specify every required argument in the backend configuration. Omitting certain arguments may be desirable to avoid storing secrets, such as access keys, within the main configuration. When some or all of the arguments are omitted, we call this a partial configuration.

With a partial configuration, the remaining configuration arguments must be provided as part of the initialization process. There are several ways to supply the remaining arguments:

Interactively: Terraform will interactively ask you for the required values unless interactive input is disabled. Terraform will not prompt for optional values.

File: A configuration file may be specified via the init command line. To specify a file, use the -backend-config=PATH option when running terraform init. If the file contains secrets it may be kept in a secure data store, such as Vault, in which case it must be downloaded to the local disk before running Terraform.

Command-line key/value pairs: Key/value pairs can be specified via the init command line. Note that many shells retain command-line flags in a history file, so this isn't recommended for secrets. To specify a single key/value pair, use the -backend-config="KEY=VALUE" option when running terraform init.

Just to clarify, "HashiCorp supported" means, it is supported by HashiCorp's technical support, it doesn't mean that Vault supports the platform as a storage backend.

For example, DynamoDB is a valid storage backend, but it is not officially supported by HashiCorp technical support but it has got the community support.

In-Memory - HashiCorp Supported

MySQL - Community Supported

Raft - HashiCorp Supported

Dynamo DB - Community Supported

Consul - HashiCorp Supported

Filesystem - HashiCorp Supported

Check more details on below link:- https://www.vaultproject.io/docs/configuration/storage/in-memory

Check below link for details:- https://learn.hashicorp.com/vault/operations/ops-reference-architecture

Terraform is available for macOS, FreeBSD, OpenBSD, Linux, Solaris, Windows

https://www.terraform.io/downloads.html

Vault supports AWS, Azure, Google Cloud, and Alibaba Cloud out of the box for secrets engines

Non-root tokens are associated with a TTL, which determines how long a token is valid. Root tokens are not associated with a TTL, and therefore, do not expire.

Root tokens are tokens that have the root policy attached to them. They are the only type of token within Vault that are not associated with a TTL, and therefore, do not expire.

Vault secondary clusters must be manually promoted to a primary.