HashiCorp HashiCorp Certifications VA-002-P Questions & Answers

• Question 191:

  When creating a dynamic secret in Vault, Vault returns what value that can be used to renew or revoke the lease?

  A. lease_id

  B. vault_accessor

  C. revocation_access

  D. token_revocation_id

  Correct Answer: A

  When reading a dynamic secret, such as via vault read, Vault always returns a lease_id. This is the ID

  used with commands such as vault lease renew and vault lease revoke to manage the lease of the secret.

  vault lease lookup

  Usage: vault lease [options] [args]

  This command groups subcommands for interacting with leases. Users can revoke or renew leases.

  Renew a lease:

  $ vault lease renew database/creds/readonly/2f6a614c...

  Revoke a lease:

  $ vault lease revoke database/creds/readonly/2f6a614c...

  Subcommands:

  renew Renews the lease of a secret

  revoke Revokes leases and secrets

  Reference link:- https://www.vaultproject.io/docs/concepts/lease

• Question 192:

  In order to extend Vault beyond a data center or cloud regional boundary, what feature should be used?

  A. plugins

  B. secrets engine

  C. replication

  D. seal/unseal

  E. snapshots

  Correct Answer: C

  To extend Vault beyond a data center or cloud regional boundary, replication can be used. Vault supports both DR replication and Performance replication to copy data from the primary cluster to a secondary cluster safely.

• Question 193:

  Which command is used to initialize Vault after first starting the Vault service?

  A. vault create key

  B. vault operator init

  C. vault operator initialize keys

  D. vault start

  E. vault operator unseal

  Correct Answer: B

  The vault operator init command initializes a Vault server. Initialization is the process by which Vault's

  storage backend is prepared to receive data.

  This only happens once when the server is started against a new backend that has never been used with

  Vault before.

  Reference link is below:- https://www.vaultproject.io/docs/commands/operator/init

• Question 194:

  What is the result of the following Vault command?

  vault auth enable userpass

  A. Imports usernames and passwords from LDAP to the local database

  B. allows Vault to access usernames and passwords stored in a second Vault cluster

  C. Enables Vault to use external services to authenticate clients to Vault

  D. mounts the userpass auth method to the default path

  Correct Answer: D

  The auth enable command enables an auth method at a given path. If an auth method already exists at the

  given path, an error is returned.

  Command to enable auth method vault auth followed by the name of the auth method.

  Additional parameters can be included to specify the name of the mount.

• Question 195:

  An application is trying to use a secret in which the lease has expired. What can be done in order for the application to successfully request data from Vault?

  A. request a new secret and associated lease

  B. try the expired secret in hopes it hasn't been deleted yet

  C. request the TTL be extended for the secret

  D. perform a lease renewal

  Correct Answer: A

  A lease must be renewed before it has expired. Once it has expired, it is permanently revoked and a new secret must be requested.

• Question 196:

  Vault has failed to start. You inspect the log and find the error below. What needs to be changed in order to

  successfully start Vault?

  "Error parsing config.hcl: At 1:12: illegal char"

  A. the " character cannot be used in the config file

  B. fix the syntax error in the Vault configuration file

  C. you must use single quotes vs double quotes in the config file

  D. line 1 on the config file is blank

  Correct Answer: B

  It implies that there is a syntax error in the configuration file. The exact location of the error in the file can be identified in the error message

• Question 197:

  What type of token does not have a TTL (time to live)?

  A. default tokens

  B. parent tokens

  C. user tokens

  D. root tokens

  E. expired tokens

  F. child tokens

  Correct Answer: D

  Non-root tokens are associated with a TTL, which determines how long a token is valid. Root tokens are not associated with a TTL, and therefore, do not expire. Root tokens are tokens that have the root policy attached to them. They are the only type of token within Vault that are not associated with a TTL, and therefore, do not expire.

• Question 198:

  After creating a dynamic credential on a database, the DBA accidentally deletes the credentials on the database itself. When attempting to remove the lease, Vault returns an error stating that the credential cannot be found. What command can be run to coerce Vault to remove the secret?

  A. vault lease -renew

  B. vault lease revoke -force -prefix

  C. vault revoke -apply

  D. vault lease revoke -enforce

  Correct Answer: B

  The -force flag is meant for recovery when the secret in the target secrets engine was manually deleted.

• Question 199:

  When Vault is sealed, which are the only two options available to a Vault administrator? (select two)

  A. rotate the encryption key

  B. unseal Vault

  C. view the status of Vault

  D. configure policies

  E. author security policies

  F. view data stored in the key/value store

  Correct Answer: BC

  When Vault is sealed, the only two options available are, viewing the vault status and unsealing Vault. All the other actions performed after the Vault is unsealed and the user is authenticated.

• Question 200:

  Which auth method is ideal for machine to machine authentication?

  A. GitHub

  B. UserPass

  C. AppRole

  D. Okta

  Correct Answer: C

  The ideal method for a machine to machine authentication is AppRole although it's not the only method. The other options are frequently reserved for human access. Reference link:- https://www.hashicorp.com/ blog/authenticating-applications-with-vault-approle/