Pass the HashiCorp HashiCorp Security Automation Certification HCVA0-003 Questions and answers with CertsForce

The requirement is to enable a versioned Key/Value secrets engine at a custom mount path named my-secrets. KV version 2 can be enabled either by specifying kv-v2 as the plugin type or by enabling kv with the -version=2 flag and a path. Among the provided options, only vault secrets enable -path= " my-secrets " kv-v2 both enables the correct versioned KV engine and places it at the requested path. Option A enables an authentication method, not a secrets engine. Option C enables the KV engine but does not explicitly select KV version 2. Option D selects version 2 but does not set the required custom path. HashiCorp’s KV v2 setup documentation confirms that kv-v2 can be used directly with vault secrets enable -path < mount_path > .

================

The lease must be renewed using the full lease_id returned by Vault. In the exhibit, the lease ID is database/creds/readonly/fyF5xDomnKeCHNZNQgStwBKD, so the correct command is vault lease renew database/creds/readonly/fyF5xDomnKeCHNZNQgStwBKD. The lease_renewable true field only means the lease is eligible for renewal; it does not mean Vault automatically renews it forever. Option C provides only the credential path prefix, not the specific lease ID. Option D omits the lease ID entirely, so Vault would not know which lease to renew. HashiCorp’s lease documentation states that Vault returns a lease_id when reading a dynamic secret and that this ID is used with vault lease renew and vault lease revoke.

The statement is true. Vault CLI commands support structured output formats through the -format flag, and valid formats include table, json, and yaml. Table output is commonly used for human-readable CLI work, while JSON and YAML are useful for automation, scripts, CI/CD pipelines, and parsing command output with tools such as jq. This is important for the Vault Associate exam because Vault administration often requires reading command output and knowing how to produce machine-readable results. For example, vault write -format=json ... can return JSON output instead of the default table format. HashiCorp’s command documentation confirms that the output format can be set to table, JSON, or YAML, including through the VAULT_FORMAT environment variable.

================

AppRole is the correct choice for the on-premises CI/CD targets because it is designed for machine and application authentication. AWS auth is appropriate for AWS workloads because Vault can validate AWS identity metadata, but it does not naturally authenticate vSphere-based on-premises workloads. GitHub auth is mainly user/team oriented and tied to GitHub identity, not a generic CI/CD machine identity pattern. Userpass requires a username and password and is generally unsuitable for automated pipelines because it encourages static credential handling. AppRole uses a RoleID and SecretID model, allowing controlled authentication for services, automation, and pipelines that do not have a native cloud identity provider. HashiCorp’s AppRole documentation describes it as an auth method for machines and apps.

================

The statement is true. When an auth method is disabled, all users authenticated via that method lose access. This is because the tokens issued by the auth method are automatically revoked when the auth method is disabled. This prevents the users from performing any operation in Vault using the revoked tokens. To regain access, the users have to authenticate again using a different auth method that is enabled and has the appropriate policies attached. References:  Auth Methods | Vault | HashiCorp Developer ,  auth disable - Command | Vault | HashiCorp Developer

A Vault lease is revoked by referencing the lease ID. When Vault returns a dynamic secret, such as database credentials, it includes a lease_id. That lease ID is the handle used by lease management commands, including vault lease renew and vault lease revoke. A Secret ID is associated with AppRole authentication and is not the identifier used to revoke a dynamic secret lease. A user ID is not used for lease revocation. A token ID may be used for token operations, but Vault leases for dynamic secrets are managed through lease-specific commands and lease IDs. The exam point is direct: if the task is to revoke leased dynamic credentials, the operator needs the lease ID returned with those credentials. HashiCorp’s lease documentation states that clients use the lease ID to renew or revoke a secret.

================

Integrated Storage is a Raft-based storage backend that allows Vault to store its data internally without relying on an external storage system. It also enables Vault to run in high availability mode with automatic leader election and failover. However, Integrated Storage is not immune to data loss or corruption due to hardware failures, network partitions, or human errors. Therefore, it is recommended to use the snapshot feature to backup and restore the Vault data periodically or on demand. A snapshot is a point-in-time capture of the entire Vault data, including the encrypted secrets, the configuration, and the metadata. Snapshots can be taken and restored using the vault operator raft snapshot command or the sys/storage/raft/snapshot API endpoint. Snapshots are encrypted and can only be restored with a quorum of unseal keys or recovery keys.  Snapshots are also portable and can be used to migrate data between different Vault clusters or storage backends. References: https://developer.hashicorp.com/vault/docs/concepts/integrated-storage 1 , https://developer.hashicorp.com/vault/docs/commands/operator/raft/snapshot 2 , https://developer.hashicorp.com/vault/api-docs/system/storage/raft/snapshot 3

The missing capability is update. In Vault ACL policies, read allows a client to retrieve data from a path, but it does not allow changing the data at that path. To modify an existing value, the policy must grant update capability. The list capability only allows listing keys or path entries; it does not read or modify secret values. The delete capability removes data, but it is not needed to change an existing value. The sudo capability is reserved for root-protected paths and administrative operations, not normal secret modification. Since the role can already read the secret, option E is already present and cannot be the missing permission. HashiCorp’s policy documentation states that update allows changing data at a path, while read only allows reading data.

================

The maximum time-to-live (TTL) for a token is defined by the lowest value among the following factors:

The authentication method that issued the token. Each auth method can have a default and a maximum TTL for the tokens it generates. These values can be configured by the auth method’s mount options or by the auth method’s specific endpoints.

The mount endpoint configuration that the token is accessing. Each secrets engine can have a default and a maximum TTL for the leases it grants. These values can be configured by the secrets engine’s mount options or by the secrets engine’s specific endpoints.

A parent token TTL. If a token is created by another token, it inherits the remaining TTL of its parent token, unless the parent token has an infinite TTL (such as the root token). A child token cannot outlive its parent token.

System max TTL. This is a global limit for all tokens and leases in Vault. It can be configured by the system backend’s max_lease_ttl option.

The client system that uses the token cannot define the maximum TTL for the token, as this is determined by Vault’s configuration and policies. The client system can only request a specific TTL for the token, but this request is subject to the limits imposed by the factors above.

In the HashiCorp Vault UI, secrets are organized in a tree-like structure. To view a secret located at secret/my-secret, you would click on the “secret/” folder in the tree, then click on the “my-secret” file. In this screenshot, the “secret/” folder is located at option C. This folder contains the secrets that are stored in the key/value secrets engine, which is the default secrets engine in Vault. The key/value secrets engine allows you to store arbitrary secrets as key/value pairs. The key is the path of the secret, and the value is the data of the secret. For example, the secret located at secret/my-secret has a key of “my-secret” and a value of whatever data you stored there.