HashiCorp · Vault-Associate
Validates knowledge of HashiCorp Vault for secrets management and data protection, covering authentication methods, policies and tokens, lease management, static and dynamic secrets engines, encryption as a service, and Vault architecture including high availability.
Questions
622
Duration
60 minutes
Passing Score
70%
Difficulty
AssociateLast Updated
Feb 2026
Use this Vault-Associate practice exam to prepare for HashiCorp Certified: Vault Associate with realistic questions, detailed explanations, and focused study modes. The practice bank includes 622 questions for HashiCorp Vault-Associate, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The HashiCorp Certified: Vault Associate (003) validates foundational knowledge and hands-on skills with HashiCorp Vault, the industry-standard platform for secrets management and data protection. The exam tests candidates on Vault's core mechanics: accessing Vault through the UI, CLI, and API; managing authentication methods, tokens, and policies; working with static and dynamic secrets engines including Key/Value, Database, and Identity engines; managing leases and renewals; and leveraging the Transit secrets engine for encryption as a service (EaaS). The current exam version tests against Vault 1.16 and covers both the open-source Community Edition and Enterprise features.
Candidates are also evaluated on Vault architecture, including high-availability deployment models, Vault Agent, the Vault Secrets Operator for Kubernetes, HCP Vault Dedicated on the cloud, and replication strategies. The certification is delivered through Certiverse, HashiCorp's online proctored testing platform, and is valid for two years. It serves as the foundation for advanced HashiCorp security certifications and is recognized across cloud-native and regulated enterprise environments.
This certification is designed for Cloud Engineers with foundational Vault experience who specialize in security, development, or operations. It is well-suited for DevOps engineers, Site Reliability Engineers (SREs), platform engineers, security engineers, and developers who integrate secrets management into cloud-native applications and pipelines.
Candidates working in environments that use Kubernetes, cloud infrastructure (AWS, Azure, GCP), or CI/CD platforms where secrets must be securely injected and managed will find this certification most relevant. It is an associate-level credential, meaning it targets practitioners who understand Vault's core concepts and can operate it in a production or demo environment, rather than those with deep architectural design experience.
There are no formal prerequisites required to sit for the exam. However, HashiCorp recommends that candidates have basic terminal competency, a foundational understanding of on-premises or cloud infrastructure, and a basic level of security knowledge before attempting the exam.
Practical experience using Vault in a production environment provides the strongest preparation, though candidates who have worked through all exam objectives in a personal or lab environment may also be ready. Familiarity with concepts such as authentication flows, PKI, database credential rotation, and Kubernetes secret injection will be advantageous, even if not explicitly required.
The Vault Associate (003) exam is a multiple-choice, online-proctored assessment delivered through Certiverse via HashiCorp's Certification Portal (GitHub login required). The exam duration is 1 hour, though candidates should budget approximately 90 minutes total to account for setup and identity verification. Question formats include standard multiple choice, true/false, scenario-based questions, and UI area-selection items.
HashiCorp does not publicly disclose the exact number of questions or a numerical passing score threshold — results are displayed as pass/fail immediately upon completion. A domain-level performance breakdown is typically made available within two business days. The exam costs $70.50 USD plus applicable taxes. Candidates who do not pass must wait 7 days before retaking and are limited to four attempts within a rolling year. Credentials are valid for 2 years, with recertification eligibility beginning at 18 months.
The Vault Associate certification signals verified competence in secrets lifecycle management, a skill set in high demand across DevOps, platform engineering, and security-focused roles. Organizations running cloud-native workloads on Kubernetes, AWS, Azure, or GCP routinely list Vault experience as a requirement in job postings for SRE, DevSecOps, and cloud security engineer roles. HashiCorp reports that 88% of exam takers agree that passing an Associate-level exam makes job candidates more desirable to employers. Vault has become the de facto standard for secrets management in enterprises operating in regulated industries (financial services, healthcare, government), making this certification particularly valuable for practitioners in those sectors.
Professionals specializing in HashiCorp tooling report average salaries in the range of $80,000 per year according to PayScale, with senior cloud security and platform engineering roles often commanding significantly more. The $70.50 exam fee and two-year validity period make it a high-ROI credential. It also serves as a stepping stone to the HashiCorp Vault Operations Professional certification, which targets advanced deployment and architectural design skills.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 622 questions.
Preview — answers shown1. An administrator needs to rotate the root credentials that Vault uses to connect to a PostgreSQL database for the database secrets engine. The current root credentials will be invalidated after rotation. Which command should they use? (Select one!)
Explanation
The vault write -f database/rotate-root/<connection-name> command rotates the root credentials for a specific database connection. This operation generates new credentials in the database, updates Vault's stored credentials, and invalidates the old credentials. The rotate parameter is not a valid configuration option for database config. The path database/root/rotate does not exist in Vault's database secrets engine. The secrets tune command does not support a -rotate-root flag for database credential rotation.
2. A Vault operator performs a snapshot operation on a Vault cluster using Integrated Storage (Raft) with the command 'vault operator raft snapshot save backup.snap'. The operator needs to verify the snapshot was captured successfully and contains recent data. Which approach validates the snapshot integrity and recency? (Select one!)
Explanation
The snapshot inspect command examines snapshot metadata including the index, term, timestamp, and configuration without requiring restoration. This provides immediate validation of snapshot recency and basic integrity. Restoring to a test cluster fully validates the snapshot but is operationally heavy for routine verification. File size comparison is unreliable as data changes affect size unpredictably. Listing peers shows current cluster state, not snapshot contents. Vault does not automatically generate checksums during snapshot save; manual checksum verification would require separate tooling.
3. A Vault policy uses parameter restrictions to enforce data validation on the KV v2 secrets engine. The policy includes the following configuration: path secret/data/applications/* { capabilities = [create, update] required_parameters = [app_name, environment] allowed_parameters = { app_name = [] environment = [production, staging, development] } }. An application attempts to write a secret with app_name=webserver and environment=testing. What happens? (Select one!)
Explanation
The allowed_parameters configuration specifies permitted values for parameters. For the environment parameter, only production, staging, and development are allowed. The value testing is not in this list, causing the write operation to fail. All required parameters are provided, but the environment value violates the allowed_parameters constraint. For app_name, the empty brackets indicate any value is allowed, not that no value is permitted. Vault enforces parameter restrictions strictly and does not allow operations with warnings; the operation either succeeds or fails based on policy evaluation.
4. A financial services company needs to enable userpass authentication for developers in the us-east region and a separate userpass instance for developers in the eu-west region with different password policies. What should the Vault administrator do? (Select one!)
Explanation
Vault supports mounting the same authentication method multiple times using custom paths with the -path flag. This allows organizations to run userpass at both auth/us-east-userpass and auth/eu-west-userpass with different configurations and password policies for each region. Creating separate user accounts in a single userpass instance does not provide configuration isolation. Namespace isolation is an Enterprise feature and adds unnecessary complexity. Deploying separate Vault clusters is operationally expensive when multiple auth method instances solve the requirement.
5. A development team writes a Vault policy to allow reading secrets from the KV v2 secrets engine mounted at secret/. The policy is defined as: path "secret/myapp/*" { capabilities = ["read"] }. Users report they can read secret values but cannot list the available secrets under secret/myapp/. What is the issue? (Select one!)
Explanation
In KV v2, list operations are performed against the metadata path, not the data path. While the CLI abstracts the data and metadata paths for user convenience, policies must explicitly specify these paths. To allow listing secrets, the policy must grant the list capability on the metadata path: path secret/metadata/myapp/* { capabilities = [list] }. The read capability does not implicitly include list permissions. The data path is used for reading, writing, and deleting secret values, while the metadata path is used for listing keys and managing secret metadata such as version history and configuration. The glob pattern location does not affect list functionality. Organizations should typically grant both data read and metadata list permissions for complete read access to KV v2 secrets.
$17.99
One-time access to this exam