HashiCorp Certified: Vault Associate (003)
Validates foundational knowledge of HashiCorp Vault for secrets management, data protection, and access control. Covers authentication methods, policies, tokens, leases, secrets engines, encryption as a service via the Transit engine, Vault architecture fundamentals, deployment architecture including integrated storage, and access management with Vault Agent. Designed for cloud engineers specializing in security, development, or operations. Tests on Vault 1.16.
Exam domains
- Secrets Engines14%
Enable and route the KV (v1 and v2), database, AWS/Azure/GCP, PKI, SSH, and Transit secrets engines via API/CLI/UI, choosing between static (KV) and dynamic (database, cloud IAM) secrets per use case. Use response wrapping for secure secret delivery, and access secrets through all three interfaces with appropriate mount paths.
- Vault Tokens11%
Choose between service and batch tokens, manage root tokens and token accessors, and reason about TTL, explicit max TTL, periodic, and orphan tokens. Create tokens via `vault token create`, the API, and child-token relationships, and explain revocation cascades through token parents.
- Vault Policies11%
Author HCL ACL policies with path globs (including the '+' and '*' wildcards) and the capabilities set (create, read, update, delete, list, sudo, deny) to enforce least-privilege access. Apply, manage, and test policies via the UI and CLI, and choose policy bindings that satisfy a given access requirement.
- Authentication Methods11%
Configure and select Vault auth methods (userpass, AppRole, LDAP, Kubernetes, JWT/OIDC, cloud IAM) and explain the distinction between human and machine authentication. Use identities, entities, and groups to map external credentials to Vault policies, and authenticate via API, CLI, and UI.
Sources
Questions are grounded in 100 references from official and authoritative materials.