Free HashiCorp HCVA0-003 Practice Exam with Questions & Answers | Set: 2

The vault lease renew command increments the lease time from the current time, not the end of the lease. This means that the user can request a specific amount of time they want remaining on the lease, termed the increment. This is not an increment at the end of the current TTL; it is an increment from the current time. For example, vault lease renew -increment=3600 my-lease-id would request that the TTL of the lease be adjusted to 1 hour (3600 seconds) from now. Having the increment be rooted at the current time instead of the end of the lease makes it easy for users to reduce the length of leases if they don’t actually need credentials for the full possible lease period, allowing those credentials to expire sooner and resources to be cleaned up earlier. The requested increment is completely advisory.  The backend in charge of the secret can choose to completely ignore it 1 .  References :

Lease, Renew, and Revoke | Vault | HashiCorp Developer

The lease must be renewed using the full lease_id returned by Vault. In the exhibit, the lease ID is database/creds/readonly/fyF5xDomnKeCHNZNQgStwBKD, so the correct command is vault lease renew database/creds/readonly/fyF5xDomnKeCHNZNQgStwBKD. The lease_renewable true field only means the lease is eligible for renewal; it does not mean Vault automatically renews it forever. Option C provides only the credential path prefix, not the specific lease ID. Option D omits the lease ID entirely, so Vault would not know which lease to renew. HashiCorp’s lease documentation states that Vault returns a lease_id when reading a dynamic secret and that this ID is used with vault lease renew and vault lease revoke.

To use an entity alias in an ACL policy template, the critical value is the auth method mount accessor. Vault identities can have aliases from different authentication mounts, and the same alias name may exist under different auth methods. Vault therefore identifies an alias by combining the alias name with the authentication mount accessor. In templated ACL policies, alias data is referenced with a structure such as identity.entity.aliases. < mount accessor > .metadata. < metadata key > . The auth method path alone is not the correct unique identifier for the template. A group name is used for group-based identity references, not entity aliases. A metadata key may be used after the alias accessor is known, but it is not sufficient by itself. HashiCorp documents that the mount accessor is required when using alias metadata in templated policies.

================

Secrets engines are components that store, generate, or encrypt data in Vault. They are enabled at a specific path in Vault and have their own API and configuration. Some of the statements that describe the secrets engines in Vault are:

Some secrets engines simply store and read data, such as the key/value secrets engine, which acts like an encrypted Redis or Memcached.  Other secrets engines perform more complex operations, such as generating dynamic credentials, encrypting data, issuing certificates, etc 1 .

You can build your own custom secrets engine by using the plugin system, which allows you to write and run your own secrets engine as a separate process that communicates with Vault over gRPC.  You can also use the SDK to create your own secrets engine in Go and compile it into Vault 2 .

Each secrets engine is isolated to its path, which means that the secrets engine cannot access or interact with other secrets engines or data outside its path. The path where the secrets engine is enabled can be customized and can have multiple segments.  For example, you can enable the AWS secrets engine at aws/ or aws/prod/ or aws/dev/ 3 .

The statements that are not true about the secrets engines in Vault are:

You can disable an existing secrets engine by using the vault secrets disable command or the sys/mounts API endpoint.  When a secrets engine is disabled, all of its secrets are revoked and all of its data is deleted from the storage backend 4 .

A secrets engine can be enabled at multiple paths, with a few exceptions, such as the system and identity secrets engines. Each secrets engine enabled at a different path is independent and isolated from others.  For example, you can enable the KV secrets engine at kv/ and secret/ and they will not share any data 3 .

A dynamic secret is generated by Vault when requested and is normally tied to a lease, TTL, and revocation lifecycle. This is different from a static KV secret, which is manually stored and later retrieved from Vault. Dynamic secrets are commonly used for databases, cloud providers, SSH, and similar systems because Vault can create short-lived credentials and revoke them automatically when the lease expires. Option A describes KV v2 static versioned storage, not dynamic generation. Option C describes a password rotation policy, not Vault’s dynamic secret model. Option D incorrectly suggests secrets update encryption algorithms. HashiCorp’s database secrets engine documentation states that Vault dynamically generates database credentials, and Vault lease documentation explains that dynamic secrets are managed through lease IDs and TTLs.

================

The three policies that exist in Vault are:

admins: This policy grants full access to all secrets and operations in Vault. It can be used by administrators or operators who need to manage all aspects of Vault.

default: This policy grants access to all secrets and operations in Vault except for those that require specific policies. It can be used as a fallback policy when no other policy matches.

transit: This policy grants access only to the transit secrets engine, which handles cryptographic functions on data in-transit. It can be used by applications or services that need to encrypt or decrypt data using Vault.

These policies allow an organization to perform useful tasks such as:

Encrypting, decrypting, and rewrapping data using the transit engine all in one policy: This policy grants access to both the transit secrets engine and the default policy, which allows performing any operation on any secret in Vault.

Creating a transit encryption key for encrypting, decrypting, and rewrapping encrypted data: This policy grants access only to the transit secrets engine and its associated keys, which are used for encrypting and decrypting data in transit using AES-GCM with a 256-bit AES key or other supported key types.

Separating permissions allowed on actions associated with the transit secret engine: This policy grants access only to specific actions related to the transit secrets engine, such as creating keys or wrapping requests. It does not grant access to other operations or secrets in Vault.

The error was thrown because the policy code contains an invalid capability, “write”. The valid capabilities for a policy are “create”, “read”, “update”, “delete”, “list”, and “sudo”. The “write” capability is not recognized by Vault and should be replaced with “create”, which allows creating new secrets or overwriting existing ones. The other statements are not correct, because the wildcard (*) and the sudo capability are both valid in a policy. The wildcard matches any number of characters within a path segment, and the sudo capability allows performing certain operations that require root privileges.

Integrated Storage is a Raft-based storage backend that allows Vault to store its data internally without relying on an external storage system. It also enables Vault to run in high availability mode with automatic leader election and failover. However, Integrated Storage is not immune to data loss or corruption due to hardware failures, network partitions, or human errors. Therefore, it is recommended to use the snapshot feature to backup and restore the Vault data periodically or on demand. A snapshot is a point-in-time capture of the entire Vault data, including the encrypted secrets, the configuration, and the metadata. Snapshots can be taken and restored using the vault operator raft snapshot command or the sys/storage/raft/snapshot API endpoint. Snapshots are encrypted and can only be restored with a quorum of unseal keys or recovery keys.  Snapshots are also portable and can be used to migrate data between different Vault clusters or storage backends. References: https://developer.hashicorp.com/vault/docs/concepts/integrated-storage 1 , https://developer.hashicorp.com/vault/docs/commands/operator/raft/snapshot 2 , https://developer.hashicorp.com/vault/api-docs/system/storage/raft/snapshot 3

Using a short-lived dynamic secrets can help limit the scope of a credential breach by reducing the exposure time of the secrets. Dynamic secrets are generated on-demand by Vault and automatically revoked when they are no longer needed. This way, the credentials are not stored in plain text or in a static database, and they can be rotated frequently to prevent unauthorized access. Dynamic secrets also provide encryption as a service, which means that they perform cryptographic operations on data in-transit without storing any data. This adds an extra layer of security and reduces the risk of data leakage or tampering. References:  Dynamic secrets | Vault | HashiCorp Developer ,  What are dynamic secrets and why do I need them? - HashiCorp

The Vault UI hides or denies access to sections that the current token cannot use. ACL policy management is controlled by Vault policies, usually through access to policy-related system paths. If the authenticated token does not have the required permissions to list, read, create, or update policies, the UI will not expose the ACL Policies menu as expected. There is no separate “policy engine” that must be enabled; policies are a core Vault authorization mechanism. Option C is also incorrect because the issue is not solved by moving to a “policy namespace” unless the token has the required permissions in that namespace. The exhibit behavior is a permissions problem. HashiCorp documents that Vault access is controlled by policies and that unauthorized paths evaluate to deny.

================