Vault
Exam orientation - Vault Operations Professional
Warning
These exam preparation tutorials will not be available for reference during the exam. The exam asks you to apply your expertise by solving real world problems in a virtual environment. Therefore, Vault's docs and Vault's API docs will be available during the exam.
The Vault Operations Professional exam is a lab-based exam for Cloud Engineers focused on deploying, configuring, managing, and monitoring HashiCorp Vault. You are well-qualified to take this exam if you hold the Vault Associate Certification (or equivalent knowledge), have experience operating Vault in production, and can evaluate Vault Enterprise functionality and use cases.
Note
The Vault Operations Professional Certification exam runs a Vault Enterprise binary, and the objectives covers Vault Enterprise features in addition to OSS features.
Prerequisites
- HashiCorp Certified: Vault Associate Certification (recommended)
- Linux skills such as list and edit files via command terminal
- Understanding of IP networking
- Experience with Public Key Infrastructure (PKI), including PGP and TLS
- Information security fundamentals such as network security and RBAC
- Understand the concepts and functionality of infrastructure running in containers including starting and stopping services, and reading logs
Format
There are three types of questions on the exam:
- Hands-on: Perform the instructed operational tasks using the Vault CLI or UI in the given Linux environments.
- Multiple-choice: Choose one or more correct responses from the multiple response options.
- Hybrid: For a given multiple-choice question, inspect the provided Vault environment to discover the correct response.
View the exam environment and learn more about the exam experience in the following orientation video.
Frequently asked questions (FAQ)
Q: I don't have a Vault Enterprise environment to practice. Can I have a trial license?
Yes. You can request a 30-day Vault Enterprise trial license through the Certification Portal.
Q: What Linux skills are required?
- You should know basic Linux commands that allow you to copy and paste, navigate a Linux file system, change permissions, and create folders and files.
- You must be able to work with Vault instances running on Linux.
- You should be able to execute Vault commands from the Linux terminal.
- The Vault UI is available during the exam, and Visual Studio Code is available to modify the server configuration file.
Sample multiple-choice questions
Question 1
Your organization is migrating applications to run on a Kubernetes environment. This motivated the operations team to deploy Vault on Kubernetes. Which best practices does HashiCorp recommend to securely run Vault on Kubernetes? Choose two correct answers.
š A: Run as root.
š B: Ensure that memory lock (mlock
) is enabled to prevent memory swap.
š C: Turn off core dumps inside the container to prevent possible exposure of Vault encryption keys.
š D: Do not use Consul as a Vault storage backend.
š E: If an intermediate load balancer exists, Vault traffic does not have to use
Transport Layer Security (TLS).
Correct answers are B and C.
ā A: Run as root.
ā
B: Ensure that memory lock (mlock
) is enabled to prevent memory swap.
ā
C: Turn off core dumps inside the container to prevent possible exposure of
Vault encryption keys.
ā D: Do not use Consul as a Vault storage backend.
ā E: If an intermediate load balancer exists, Vault traffic does not have to use
Transport Layer Security (TLS).
Be sure to read the Vault on Kubernetes Security Considerations tutorial.
- You do not want to start the container as root as a security precaution.
- You want to enable
mlock
to prevent memory swap. - Disable core dumps. Otherwise, a user may force a core dump and the resulting file can potentially expose Vault encryption keys.
- Integrated Storage is recommended; however, Consul is still supported.
- When running production load, you should always use with TLS.
Question 2
Your organization's Vault environment has multiple auth methods enabled. As a result, a user may have more than one login method to authenticate with Vault. However, depending on the auth method the user chose, Vault provides a different set of access to secrets. To mitigate this issue, which of the following solutions provides a secure access to Vault while giving the user necessary permissions?
š A: Create an entity for the user, and attach required policies at the entity
level so that the user's client token can inherit the appropriate policies
regardless of the auth method.
š B: Share the root token with everyone who needs to manage secrets managed by
Vault.
š C: Create a new Vault policy that permits all required actions and update all
auth method configuration to attach the new policy.
š D: Enable the Username & Password (userpass) auth method. Create a new user and
map each of the user's entities to the newly created user.
Correct answer is A.
ā
A: Create an entity for the user, and attach required policies at the entity
level so that the user's client token can inherit the appropriate policies
regardless of the auth method.
ā B: Share the root token with everyone who needs to manage secrets managed by
Vault.
ā C: Create a new Vault policy that permits all required actions and update all
auth method configuration to attach the new policy.
ā D: Enable the Username & Password (userpass) auth method. Create a new user and
map each of the user's entities to the newly created user.
Be sure to read the Identity: Entities and Groups tutorial if you are unfamiliar with Vault entities and groups.
Choice B is a bad idea. If the user does not have the appropriate knowledge, the user can accidentally delete secrets or do something worse.
The downside of choice C is the Vault admin has multiple configurations to update; therefore, it is prone to human error. Choice A is a more straightforward solution than choice C.
Choice D does not present the actual solution to the problem. It does not describe what is significant about the new user to solve the issue.
Next steps
A big part of the Vault Operations Professional Certification exam is hands-on, which means the only way to study for it is to practice and gain hands-on experience.
The Learning path - Vault Operations Professional provides hints and tips to prepare for the exam. If you already have enough Vault experience around the objectives, skip to the content list for a quick reference.