Vault
Learning path - Vault Associate (003)
Note
The material covered in this learning path is for the Vault Associate 003 exam version, which is coming in early 2025. Switch to the Vault Associate 002 exam version if you need to take the exam in 2024.
The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with Vault. You understand what Vault Enterprise features exist and can differentiate between Enterprise and Community Edition. You will be best prepared for this exam if you have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may be sufficient.
Assessment details
This exam tests on Vault 1.16
Prerequisites
- Basic terminal skills
- Basic understanding of on-premise or cloud architecture
- Basic level of security understanding
To learn more about the exam, visit the HashiCorp Product Certifications page.
Study for the exam
Expect to see questions associated with each exam objective. If you already have Vault experience and/or training and want to pick and choose which objectives to review before taking the exam, skip to the content list.
The sample questions help you get familiar with the format of the questions.
This learning path provides links to tutorials and documentation to learn the features that are covered in the exam.
Access Vault
Objectives covered: 1a - 1f, 2a - 2e, 3a - 3f
You will be tested on your knowledge of accessing Vault using supported interfaces such as the UI, CLI, and API and the relationship between authentication methods, tokens, and policies.
- Complete the Vault foundations tutorials
- Read the Introduction to Vault documentation
- Read the Vault Concepts documentation to make sure that you understand the core concepts
- Review the Overview section of the Vault Commands (CLI) documentation to understand the basic structure of CLI
Authentication
Objectives covered: 1a - 1f
Authentication in Vault is achieved through the use of auth methods. All instances of Vault start with the token auth method enabled. There are additional auth methods to support a wide range of services.
- Understand the concept of authentication in Vault
- Configure basic settings to set up an auth method
- Authenticate with Vault using the UI, CLI, and API.
- Choose between human-centric (e.g. LDAP, GitHub) and machine-oriented auth methods (e.g. AWS, AppRole, Kubernetes)
- Get familiar with Vault CLI to configure auth methods
- Get familiar with Vault UI to configure auth methods
- Go through the interactive tutorial attached to the AppRole Pull Authentication tutorial
- Understand how Vault uses entities and groups to manage identities
Policies
Objectives covered: 2a - 2e
Vault policies allow you to control access to secrets managed by Vault. You will be tested to see if you understand Vault policy syntax and the basic commands that manage policies. Every Vault client (human users, applications, containers, etc.) must have a valid token to send authenticated requests to Vault. Do the following tasks to make sure you understand the basics of access management operations.
- Go through the Vault policies tutorial
- Describe the syntax of a Vault policy
- Choose the appropriate capabilities for a Vault policy
- Explain how to create a Vault policy using the CLI and UI
- Be aware of the use of "
*
" and "+
" in policy paths and their impact on policy application - Understand that there are built-in policies:
root
anddefault
- Keep it in mind that Vault is deny by default → No policy means no access
Tokens
Objectives covered: 3a - 3f
Vault issues a token upon successful authentication. The token auth method is the default auth method enabled for all versions of Vault, but Vault issues a token regardless of the auth method used. Tokens include important information that define the access granted to the Vault token. There are different types of tokens depending on your use case and scale.
- Read the token concepts documentation
- Describe the purpose and use of root tokens, how they can be regenerated later.
- When tokens are created, a token accessor is also created and returned. Use it to:
- Know the basics of using token accessors
- Look up a token's properties (not including the actual token ID)
- Look up a token's capabilities on a path
- Renew the token
- Revoke the token
- Go through the tokens tutorial
- Be familiar with the vault token sub-commands:
capabilities
,create
,lookup
,renew
,revoke
- Know the characteristics of batch tokens
- Understand the token's TTL and max TTL → know when a token expires and no longer renewable
Manage secrets
Objectives covered: 4a - 4c, 5a - 5h
The secrets engines are responsible for managing secrets; therefore, they are a critical part of Vault. You will be tested on your knowledge of operating and managing secrets engines. Be able to explain the differences between static and dynamic secrets. Understand what is a lease in Vault. Explain how a lease is used by Vaults dynamic secrets engines (e.g. database, aws, consul). Identify how to use a lease to manage the availability of a secret. Do the following tasks to ensure that you understand and can apply basic tasks associated with managing secrets.
- Browse the Secrets Engines section of the Vault documentation focusing on:
- Compare and contrast static and dynamic secrets
- Choose a secrets engine based on a given use case
- Review the Secrets Management tutorials paying special attention to these tutorials:
- Describer the purpose, and use cases for the transit secrets engine
- Read the lease, renew, and revoke documentation
- Use lease ID to renew or revoke a lease
- Be familiar with the
vault lease
command - Understand the lease time-to-live (TTL)
- Review the Vault product use cases. To test your understanding of Vault, some scenario-based questions will be asked
Design Vault architecture
Objectives covered: 7a-7c, 8a - 8e, 9a - 9b
With Vault as your single source of secrets, it is important to understand the production deployment basics. You will be tested on your knowledge of Vault reference architecture as well as basic Vault operational tasks. Your awareness of the Vault Enterprise replication concept will be tested as well. Do the following tasks to ensure that you have a good understanding of deploying Vault in production.
Read the Architecture section of the documentation
Follow the Vault Reference Architecture guide
- Be familiar with the recommended Vault Deployment Architecture diagrams (e.g. how many nodes in a cluster)
Familiarize yourself with the Vault Enterprise features — especially Replication—by reading the documentation. Some scenario-based questions will be asked
Understand the benefits of HCP Vault Dedicated and supported feature
Explain the different deployment models for Vault, including HashiCorp managed clusters on HCP
Be aware of Enterprise Replication and what they achieve (you just need to know the concept)
Performance Replication vs. Disaster Recovery (DR) Replication
Scaling vs. Fault-tolerance
The following table shows a capability comparison between disaster recovery and performance replication.
Capability Disaster Recovery Performance Replication Mirrors the configuration of a primary cluster Yes Yes Mirrors the configuration of a primary cluster’s backends (i.e., auth methods, secrets engines, audit devices, etc.) Yes Yes Mirrors the tokens and leases for applications and users interacting with the primary cluster Yes No. Secondaries keep track of their own tokens and leases. When the secondary is promoted, applications must reauthenticate and obtain new leases from the newly-promoted primary. Allows the secondary cluster to handle client requests No Yes
Understand the components of Vault (cryptographic barrier, storage backend, auth methods, etc.)
Secrets are encrypted by Vault's barrier; therefore, the storage backend contains the encrypted Vault data.
Storage backend: Integrated Storage questions have been added → Preflight Checklist gives you the comparison between Consul and Integrated Storage
Understand how seal/unseal works
Shamir's Secret Sharing algorithm (default)
Auto unseal concept (use recovery keys instead of unseal keys to regenerate a root token)
Describe the purpose of the Vault Secrets Operator (VSO)
Explain the challenges that VSO solves
Understand the challenge that Vault Agent solves
Follow the Vault Agent Templates tutorial
Read the Vault Agent documentation
- Auto-auth allows for easy authentication and manage the lifecycle of the client token → No need to implement that in your application
- Caching allows client-side caching of tokens and leases → Reduce the latency in getting secrets from Vault
- Templates documentation allows Vault Agent to leverage Consul Template markup → Your existing application can be Vault un-aware (no code change) while secrets are managed by Vault
Manage encryption as a service
Objectives covered: 6a - 6b
Data encryption is one of the core Vault use cases. You will be tested on your knowledge of Vault providing encryption as a service (EaaS) in transit. Do the following tasks to ensure that you have a good understanding of the EaaS use case as well as its basic functionality.
- Read the Transit section of the Secrets Engine documentation to learn its characteristics
- Follow these Data Encryption tutorials to learn its basic operation:
- Understand the common scenario introduced in the beginning of the tutorial, and what challenge it solves
- Encryption as a Service: Transit Secrets Engine
- Transit Secrets Re-wrapping
Next steps
For specific study materials that cover a particular exam objective, refer to the content list. Check out the sample questions to review the exam question format.