HashiCorp Vault-Associate Certification Exam Dumps with 57 Practice Test Questions
New Vault-Associate Exam Dumps with High Passing Rate
HashiCorp Vault-Associate Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
NEW QUESTION # 10
An authentication method should be selected for a use case based on:
- A. The auth method that best establishes the identity of the client
- B. The cloud provider for which the client is located on
- C. Compatibility with the secret engine which is to be used
- D. The strongest available cryptographic hash for the use case
Answer: A
Explanation:
An authentication method should be selected for a use case based on the auth method that best establishes the identity of the client. The identity of the client is the basis for assigning a set of policies and permissions to the client in Vault. Different auth methods have different ways of verifying the identity of the client, such as using passwords, tokens, certificates, cloud credentials, etc. Depending on the use case, some auth methods may be more suitable or convenient than others. For example, for human users, the userpass or ldap auth methods may be easy to use, while for machines or applications, the approle or aws auth methods may be more secure and scalable. The choice of the auth method should also consider the trade-offs between security, performance, and usability. Reference: Auth Methods | Vault | HashiCorp Developer, Authentication - Concepts | Vault | HashiCorp Developer
NEW QUESTION # 11
You can build a high availability Vault cluster with any storage backend.
- A. False
- B. True
Answer: A
Explanation:
Not all storage backends support high availability mode for Vault. Only the storage backends that support locking can enable Vault to run in a multi-server mode where one server is active and the others are standby. Some examples of storage backends that support high availability mode are Consul, Integrated Storage, and ZooKeeper. Some examples of storage backends that do not support high availability mode are Filesystem, MySQL, and PostgreSQL. Reference: https://developer.hashicorp.com/vault/docs/concepts/ha1, https://developer.hashicorp.com/vault/docs/configuration/storage2
NEW QUESTION # 12
When creating a policy, an error was thrown:
Which statement describes the fix for this issue?
- A. sudo is not a capability
- B. You cannot have a wildcard (" * ") in the path
- C. Replace write with create in the capabilities list
Answer: C
Explanation:
The error was thrown because the policy code contains an invalid capability, "write". The valid capabilities for a policy are "create", "read", "update", "delete", "list", and "sudo". The "write" capability is not recognized by Vault and should be replaced with "create", which allows creating new secrets or overwriting existing ones. The other statements are not correct, because the wildcard (*) and the sudo capability are both valid in a policy. The wildcard matches any number of characters within a path segment, and the sudo capability allows performing certain operations that require root privileges.
Reference:
[Policy Syntax | Vault | HashiCorp Developer]
[Policy Syntax | Vault | HashiCorp Developer]
NEW QUESTION # 13
Use this screenshot to answer the question below:
When are you shown these options in the GUI?
- A. Enabling authentication methods
- B. Enabling secret engines
- C. Enabling authentication engines
- D. Enabling policies
Answer: A
Explanation:
This screenshot is shown when you are enabling authentication methods in the GUI. Authentication methods are the ways users and applications authenticate with Vault. Vault supports many different authentication methods, including username and password, GitHub, and more. You can enable one or more authentication methods from the grid of options, which are divided into three categories: Generic, Cloud, and Infra. Each option has a name, a description, and a logo. You can also enable authentication methods using the Vault CLI or API.
Enabling policies, authentication engines, and secret engines are different tasks that are not related to this screenshot. Policies are rules that govern the access to Vault resources, such as secrets, authentication methods, and audit devices. Authentication engines are components of Vault that perform authentication and assign policies to authenticated entities. Secret engines are components of Vault that store, generate, or encrypt data. These tasks have different GUI pages and options than the screenshot.
Reference:
[Authentication | Vault | HashiCorp Developer]
[Policies | Vault | HashiCorp Developer]
[Authentication | Vault | HashiCorp Developer]
[Secrets Engines | Vault | HashiCorp Developer]
NEW QUESTION # 14
Which of the following cannot define the maximum time-to-live (TTL) for a token?
- A. System max TTL
- B. By the mount endpoint configuration very password used
- C. By the authentication method t natively provide a method of expiring credentials
- D. A parent token TTL e password rotation tools and practices
- E. By the client system f credentials leaking
Answer: E
Explanation:
The maximum time-to-live (TTL) for a token is defined by the lowest value among the following factors:
The authentication method that issued the token. Each auth method can have a default and a maximum TTL for the tokens it generates. These values can be configured by the auth method's mount options or by the auth method's specific endpoints.
The mount endpoint configuration that the token is accessing. Each secrets engine can have a default and a maximum TTL for the leases it grants. These values can be configured by the secrets engine's mount options or by the secrets engine's specific endpoints.
A parent token TTL. If a token is created by another token, it inherits the remaining TTL of its parent token, unless the parent token has an infinite TTL (such as the root token). A child token cannot outlive its parent token.
System max TTL. This is a global limit for all tokens and leases in Vault. It can be configured by the system backend's max_lease_ttl option.
The client system that uses the token cannot define the maximum TTL for the token, as this is determined by Vault's configuration and policies. The client system can only request a specific TTL for the token, but this request is subject to the limits imposed by the factors above.
NEW QUESTION # 15
When unsealing Vault, each Shamir unseal key should be entered:
- A. At the command line in one single command
- B. Sequentially from one system that all of the administrators are in front of
- C. While encrypted with each administrators PGP key
- D. By different administrators each connecting from different computers
Answer: D
Explanation:
When unsealing Vault, each Shamir unseal key should be entered by different administrators each connecting from different computers. This is because the Shamir unseal keys are split into shares that are distributed to trusted operators, and no single operator should have access to more than one share. This way, the unseal process requires the cooperation of a quorum of key holders, and enhances the security and availability of Vault. The unseal keys can be entered via multiple mechanisms from multiple client machines, and the process is stateful. The order of the keys does not matter, as long as the threshold number of keys is reached. The unseal keys should not be entered at the command line in one single command, as this would expose them to the history and compromise the security. The unseal keys should not be encrypted with each administrator's PGP key, as this would prevent Vault from decrypting them and reconstructing the master key. Reference: https://developer.hashicorp.com/vault/docs/concepts/seal3, https://developer.hashicorp.com/vault/docs/commands/operator/unseal
NEW QUESTION # 16
Running the second command in the GUI CLI will succeed.
- A. False
- B. True
Answer: A
Explanation:
Running the second command in the GUI CLI will fail. The second command is vault kv put secret/creds passcode=my-long-passcode. This command attempts to write a secret named creds with the value passcode=my-long-passcode to the secret path, which is the default path for the kv secrets engine. However, the kv secrets engine is not enabled at the secret path, as shown by the first command vault secrets list, which lists the enabled secrets engines and their paths. The only enabled secrets engine is the transit secrets engine at the transit path. Therefore, the second command will fail with an error message saying that no secrets engine is mounted at the path secret/. To make the second command succeed, the kv secrets engine must be enabled at the secret path or another path, using the vault secrets enable command. For example, vault secrets enable -path=secret kv would enable the kv secrets engine at the secret path. Reference: kv - Command | Vault | HashiCorp Developer, vault secrets enable - Command | Vault | HashiCorp Developer
NEW QUESTION # 17
How many Shamir's key shares are required to unseal a Vault instance?
- A. One or more keys
- B. A quorum of key shares
- C. All key shares
- D. The threshold number of key shares
Answer: D
Explanation:
Shamir's Secret Sharing is a cryptographic algorithm that allows a secret to be split into multiple parts, called key shares, such that a certain number of key shares are required to reconstruct the secret. The number of key shares and the threshold number are configurable parameters that depend on the desired level of security and availability. Vault uses Shamir's Secret Sharing to protect its master key, which is used to encrypt and decrypt the data encryption key that secures the Vault data. When Vault is initialized, it generates a master key and splits it into a configured number of key shares, which are then distributed to trusted operators. To unseal Vault, the threshold number of key shares must be provided to reconstruct the master key and decrypt the data encryption key. This process ensures that no single operator can access the Vault data without the cooperation of other key holders. Reference: https://developer.hashicorp.com/vault/docs/concepts/seal4, https://developer.hashicorp.com/vault/docs/commands/operator/init5, https://developer.hashicorp.com/vault/docs/commands/operator/unseal6
NEW QUESTION # 18
An organization wants to authenticate an AWS EC2 virtual machine with Vault to access a dynamic database secret. The only authentication method which they can use in this case is AWS.
- A. False
- B. True
Answer: A
Explanation:
The statement is false. An organization can authenticate an AWS EC2 virtual machine with Vault to access a dynamic database secret using more than one authentication method. The AWS auth method is one of the options, but not the only one. The AWS auth method supports two types of authentication: ec2 and iam. The ec2 type uses the signed EC2 instance identity document to authenticate the EC2 instance. The iam type uses the AWS Signature v4 algorithm to sign a request to the sts:GetCallerIdentity API and authenticate the IAM principal. However, the organization can also use other auth methods that are compatible with EC2 instances, such as AppRole, JWT/OIDC, or Kubernetes. These methods require the EC2 instance to have some sort of identity material, such as a role ID, a secret ID, a JWT token, or a service account token, that can be used to authenticate to Vault. The identity material can be provisioned to the EC2 instance using various mechanisms, such as user data, metadata service, or cloud-init scripts. The choice of the auth method depends on the use case, the security requirements, and the trade-offs between convenience and control. Reference: AWS - Auth Methods | Vault | HashiCorp Developer, AppRole - Auth Methods | Vault | HashiCorp Developer, JWT/OIDC - Auth Methods | Vault | HashiCorp Developer, Kubernetes - Auth Methods | Vault | HashiCorp Developer
NEW QUESTION # 19
Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?
- A. Google Cloud Secrets Engine
- B. SSH secrets engine
- C. Key/Value secrets engine version 2
- D. Identity secrets engine
Answer: A
Explanation:
The Google Cloud Secrets Engine is the best option for the DevOps team to provision VMs in GCP via a CICD pipeline and integrate Vault to protect the credentials used by the tool. The Google Cloud Secrets Engine can dynamically generate GCP service account keys or OAuth tokens based on IAM policies, which can be used to authenticate and authorize the CICD tool to access GCP resources. The credentials are automatically revoked when they are no longer used or when the lease expires, ensuring that the credentials are short-lived and secure. The DevOps team can configure rolesets or static accounts in Vault to define the scope and permissions of the credentials, and use the Vault API or CLI to request credentials on demand. The Google Cloud Secrets Engine also supports generating access tokens for impersonated service accounts, which can be useful for delegating access to other service accounts without storing or managing their keys1.
The Identity Secrets Engine is not a good option for this use case, because it does not generate GCP credentials, but rather generates identity tokens that can be used to access other Vault secrets engines or namespaces2. The Key/Value Secrets Engine version 2 is also not a good option, because it does not generate dynamic credentials, but rather stores and manages static secrets that the user provides3. The SSH Secrets Engine is not a good option either, because it does not generate GCP credentials, but rather generates SSH keys or OTPs that can be used to access remote hosts via SSH4.
Reference:
Google Cloud - Secrets Engines | Vault | HashiCorp Developer
Identity - Secrets Engines | Vault | HashiCorp Developer
KV - Secrets Engines | Vault | HashiCorp Developer
SSH - Secrets Engines | Vault | HashiCorp Developer
NEW QUESTION # 20
Which of the following statements describe the secrets engine in Vault? Choose three correct answers.
- A. Some secrets engines simply store and read data
- B. You can build your own custom secrets engine
- C. Once enabled, you cannot disable the secrets engine
- D. Each secrets engine is isolated to its path
- E. A secrets engine cannot be enabled at multiple paths
Answer: A,B,D
Explanation:
Secrets engines are components that store, generate, or encrypt data in Vault. They are enabled at a specific path in Vault and have their own API and configuration. Some of the statements that describe the secrets engines in Vault are:
Some secrets engines simply store and read data, such as the key/value secrets engine, which acts like an encrypted Redis or Memcached. Other secrets engines perform more complex operations, such as generating dynamic credentials, encrypting data, issuing certificates, etc1.
You can build your own custom secrets engine by using the plugin system, which allows you to write and run your own secrets engine as a separate process that communicates with Vault over gRPC. You can also use the SDK to create your own secrets engine in Go and compile it into Vault2.
Each secrets engine is isolated to its path, which means that the secrets engine cannot access or interact with other secrets engines or data outside its path. The path where the secrets engine is enabled can be customized and can have multiple segments. For example, you can enable the AWS secrets engine at aws/ or aws/prod/ or aws/dev/3.
The statements that are not true about the secrets engines in Vault are:
You can disable an existing secrets engine by using the vault secrets disable command or the sys/mounts API endpoint. When a secrets engine is disabled, all of its secrets are revoked and all of its data is deleted from the storage backend4.
A secrets engine can be enabled at multiple paths, with a few exceptions, such as the system and identity secrets engines. Each secrets engine enabled at a different path is independent and isolated from others. For example, you can enable the KV secrets engine at kv/ and secret/ and they will not share any data3.
NEW QUESTION # 21
Which of the following statements are true about Vault policies? Choose two correct answers.
- A. Vault must be restarted in order for a policy change to take an effect
- B. The default policy can not be modified
- C. Policies deny by default (empty policy grants no permission)
- D. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault
- E. You must use YAML to define policies
Answer: C,D
Explanation:
Vault policies are written in HCL or JSON format and are attached to tokens or roles by name. Policies define the permissions and restrictions for accessing and performing operations on certain paths and secrets in Vault. Policies are deny by default, which means that an empty policy grants no permission in the system, and any request that is not explicitly allowed by a policy is implicitly denied1. Some of the features and benefits of Vault policies are:
Policies are path-based, which means that they match the request path to a set of rules that specify the allowed or denied capabilities, such as create, read, update, delete, list, sudo, etc2.
Policies are additive, which means that if a token or a role has multiple policies attached, the effective policy is the union of all the individual policies. The most permissive capability is granted if there is a conflict3.
Policies can use glob patterns, such as * and +, to match multiple paths or segments with a single rule. For example, path "secret/*" matches any path starting with secret/, and path "secret/+/config" matches any path with two segments after secret/ and ending with config4.
Policies can use templating to interpolate certain values into the rules, such as identity information, time, randomness, etc. For example, path "secret/{{identity.entity.id}}/*" matches any path starting with secret/ followed by the entity ID of the requester5.
Policies can be managed by using the vault policy commands or the sys/policy API endpoints. You can write, read, list, and delete policies by using these interfaces6.
The default policy is a built-in policy that is attached to all tokens by default and cannot be deleted. However, the default policy can be modified by using the vault policy write command or the sys/policy API endpoint. The default policy provides common permissions for tokens, such as renewing themselves, looking up their own information, creating and managing response-wrapping tokens, etc7.
You do not have to use YAML to define policies, as Vault supports both HCL and JSON formats. HCL is a human-friendly configuration language that is also JSON compatible, which means that JSON can be used as a valid input for policies as well8.
Vault does not need to be restarted in order for a policy change to take effect, as policies are stored and evaluated in memory. Any change to a policy is immediately reflected in the system, and any token or role that has that policy attached will be affected by the change.
NEW QUESTION # 22
To make an authenticated request via the Vault HTTP API, which header would you use?
- A. The Content-Type HTTP Header
- B. The X-Vault-Namespace HTTP Header
- C. The X-Vault-Token HTTP Header
- D. The x-Vault-Request HTTP Header
Answer: C
Explanation:
To make an authenticated request via the Vault HTTP API, you need to use the X-Vault-Token HTTP Header or the Authorization HTTP Header using the Bearer <token> scheme. The token is a string that represents your identity and permissions in Vault. You can obtain a token by using an authentication method, such as userpass, approle, aws, etc. The token can also be a root token, which has unlimited access to Vault, or a wrapped token, which is a response-wrapping token that can be used to unwrap the actual token. The token must be sent with every request to Vault that requires authentication, except for the unauthenticated endpoints, such as sys/init, sys/seal-status, sys/unseal, etc. The token is used by Vault to verify your identity and enforce the policies that grant or deny access to various paths and operations. Reference: https://developer.hashicorp.com/vault/api-docs3, https://developer.hashicorp.com/vault/docs/concepts/tokens4, https://developer.hashicorp.com/vault/docs/concepts/auth5
NEW QUESTION # 23
What is the Vault CLI command to query information about the token the client is currently using?
- A. vault self-lookup
- B. vault lookup self
- C. vault token lookup
- D. vault lookup token
Answer: C
Explanation:
The Vault CLI command to query information about the token the client is currently using is vault token lookup. This command displays information about the token or accessor provided as an argument, or the locally authenticated token if no argument is given. The information includes the token ID, accessor, policies, TTL, creation time, and metadata. This command can be useful for debugging and auditing purposes, as well as for renewing or revoking tokens. Reference: token lookup - Command | Vault | HashiCorp Developer, Tokens | Vault | HashiCorp Developer
NEW QUESTION # 24
Which of the following vault lease operations uses a lease _ id as an argument? Choose two correct answers.
- A. create
- B. describe
- C. revoke
- D. revoke -prefix
- E. renew
Answer: C,E
Explanation:
The vault lease operations that use a lease_id as an argument are renew and revoke. The renew operation allows a client to extend the validity of a lease associated with a secret or a token. The revoke operation allows a client to terminate a lease immediately and invalidate the secret or the token. Both operations require a lease_id as an argument to identify the lease to be renewed or revoked. The lease_id can be obtained from the response of reading a secret or creating a token, or from the vault lease list command. The other operations, revoke-prefix, create, and describe, do not use a lease_id as an argument. The revoke-prefix operation allows a client to revoke all secrets or tokens generated under a given prefix. The create operation allows a client to create a new lease for a secret. The describe operation allows a client to view information about a lease, such as its TTL, policies, and metadata. Reference: Lease, Renew, and Revoke | Vault | HashiCorp Developer, vault lease - Command | Vault | HashiCorp Developer
NEW QUESTION # 25
Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?
- A. Cloud KMS
- B. Key/Value secrets engine version 2, with TTL defined
- C. Transit
- D. PKI
Answer: D
Explanation:
The PKI secrets engine is designed to support the use case of reducing and ultimately removing the use of long lived X.509 certificates. The PKI secrets engine can generate dynamic X.509 certificates on demand, with short time-to-live (TTL) and automatic revocation. This eliminates the need for manual processes of generating, signing, and rotating certificates, and reduces the risk of certificate compromise or misuse. The PKI secrets engine can also act as a certificate authority (CA) or an intermediate CA, and can integrate with external CAs or CRLs. The PKI secrets engine can issue certificates for various purposes, such as TLS, SSH, code signing, email encryption, etc. Reference: https://developer.hashicorp.com/vault/docs/secrets/pki1, https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets
NEW QUESTION # 26
Which of these are a benefit of using the Vault Agent?
- A. Vault Agent will auto-discover which authentication mechanism to use
- B. Vault Agent will enforce minimum levels of encryption an application can use
- C. Vault Agent allows for centralized configuration of application secrets engines
- D. Vault Agent will manage the lifecycle of cached tokens and leases automatically
Answer: D
Explanation:
Vault Agent is a client daemon that provides the following features:
Auto-Auth - Automatically authenticate to Vault and manage the token renewal process for locally-retrieved dynamic secrets.
API Proxy - Allows Vault Agent to act as a proxy for Vault's API, optionally using (or forcing the use of) the Auto-Auth token.
Caching - Allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens. The agent also manages the renewals of the cached tokens and leases.
Templating - Allows rendering of user-supplied templates by Vault Agent, using the token generated by the Auto-Auth step.
Process Supervisor Mode - Runs a child process with Vault secrets injected as environment variables.
One of the benefits of using the Vault Agent is that it will manage the lifecycle of cached tokens and leases automatically. This means that the agent will handle the token renewal and revocation logic, as well as the lease renewal and revocation logic for the secrets that are cached by the agent. This reduces the burden on the application developers and operators, and ensures that the tokens and secrets are always valid and up-to-date. Reference: Vault Agent | Vault | HashiCorp Developer, Caching - Vault Agent | Vault | HashiCorp Developer
NEW QUESTION # 27
Use this screenshot to answer the question below:
Where on this page would you click to view a secret located at secret/my-secret?
- A. A
- B. D
- C. C
- D. E
- E. B
Answer: C
Explanation:
In the HashiCorp Vault UI, secrets are organized in a tree-like structure. To view a secret located at secret/my-secret, you would click on the "secret/" folder in the tree, then click on the "my-secret" file. In this screenshot, the "secret/" folder is located at option C. This folder contains the secrets that are stored in the key/value secrets engine, which is the default secrets engine in Vault. The key/value secrets engine allows you to store arbitrary secrets as key/value pairs. The key is the path of the secret, and the value is the data of the secret. For example, the secret located at secret/my-secret has a key of "my-secret" and a value of whatever data you stored there.
Reference:
[KV - Secrets Engines | Vault | HashiCorp Developer]
NEW QUESTION # 28
What are orphan tokens?
- A. Orphan tokens are not children of their parent; therefore, orphan tokens do not expire when their parent does
- B. Orphan tokens are tokens with no policies attached
- C. Orphan tokens do not expire when their own max TTL is reached
- D. Orphan tokens are tokens with a use limit so you can set the number of uses when you create them
Answer: C
Explanation:
Orphan tokens are tokens that are root of their own token tree. This means that they do not have any parent token associated with them, and they do not expire when their parent token expires. Orphan tokens are useful for scenarios where you need a short-lived and independent token, such as for testing or debugging purposes. Orphan tokens can also be used to create temporary access tokens for applications or services that need to communicate with Vault without using a long-lived root token. Reference: Tokens | Vault | HashiCorp Developer, Vault cli: how to create orphan token with role - HashiCorp Discuss
NEW QUESTION # 29
To give a role the ability to display or output all of the end points under the /secrets/apps/* end point it would need to have which capability set?
- A. sudo
- B. None of the above
- C. list
- D. read
- E. update
Answer: A
Explanation:
To give a role the ability to display or output all of the end points under the /secrets/apps/* end point, it would need to have the list capability set. The list capability allows a role to perform any operation on any path in Vault, including reading, writing, deleting, and listing. The list capability is required for roles that need to access sensitive data or perform administrative tasks in Vault. The other capabilities are not relevant for this scenario, as they only allow specific operations on specific paths or secrets engines. Reference: Policies | Vault | HashiCorp Developer, token capabilities - Command | Vault | HashiCorp Developer
NEW QUESTION # 30
When looking at Vault token details, which key helps you find the paths the token is able to access?
- A. Accessor
- B. Path
- C. Policies
- D. Meta
Answer: C
Explanation:
When looking at Vault token details, the policies key helps you find the paths the token is able to access. Policies are a declarative way to grant or forbid access to certain paths and operations in Vault. Policies are written in HCL or JSON and are attached to tokens by name. Policies are deny by default, so an empty policy grants no permission in the system. A token can have one or more policies associated with it, and the effective policy is the union of all the individual policies. You can view the token details by using the vault token lookup command or the auth/token/lookup API endpoint. The output will show the policies key with a list of policy names that are attached to the token. You can also view the contents of a policy by using the vault policy read command or the sys/policy API endpoint. The output will show the rules key with the HCL or JSON representation of the policy. The rules will specify the paths and the capabilities (such as create, read, update, delete, list, etc.) that the policy allows or denies. Reference: https://developer.hashicorp.com/vault/docs/concepts/policies4, https://developer.hashicorp.com/vault/docs/commands/token/lookup5, https://developer.hashicorp.com/vault/api-docs/auth/token#lookup-a-token6, https://developer.hashicorp.com/vault/docs/commands/policy/read7, https://developer.hashicorp.com/vault/api-docs/system/policy8
NEW QUESTION # 31
A user issues the following cURL command to encrypt data using the transit engine and the Vault AP:
Which payload.json file has the correct contents?
- A.
- B.
- C.
- D.
Answer: B
Explanation:
The payload.json file that has the correct contents is C. This file contains a JSON object with a single key, "plaintext", and a value that is the base64-encoded string of the data to be encrypted. This is the format that the Vault API expects for the transit encrypt endpoint1. The other files are not correct because they either have the wrong key name, the wrong value format, or the wrong JSON syntax.
Reference:
Encrypt Data - Transit Secrets Engine | Vault | HashiCorp Developer
NEW QUESTION # 32
Security requirements demand that no secrets appear in the shell history. Which command does not meet this requirement?
- A. vault kv put secret/password value-SSECRET_VALUE
- B. generate-password | vault kv put secret/password value
- C. vault kv put secret/password value-itsasecret
- D. vault kv put secret/password [email protected]
Answer: C
Explanation:
The command that does not meet the security requirement of not having secrets appear in the shell history is B. vault kv put secret/password value-itsasecret. This command would store the secret value "itsasecret" in the key/value secrets engine at the path secret/password, but it would also expose the secret value in the shell history, which could be accessed by other users or malicious actors. This is not a secure way of storing secrets in Vault.
The other commands are more secure ways of storing secrets in Vault without revealing them in the shell history.
A). generate-password | vault kv put secret/password value would use a pipe to pass the output of the generate-password command, which could be a script or a tool that generates a random password, to the vault kv put command, which would store the password in the key/value secrets engine at the path secret/password. The password would not be visible in the shell history, only the commands.
C). vault kv put secret/password [email protected] would use the @ syntax to read the secret value from a file named data.txt, which could be encrypted or protected by file permissions, and store it in the key/value secrets engine at the path secret/password. The file name would be visible in the shell history, but not the secret value.
D). vault kv put secret/password value-SSECRET_VALUE would use the -S syntax to read the secret value from the environment variable SECRET_VALUE, which could be set and unset in the shell session, and store it in the key/value secrets engine at the path secret/password. The environment variable name would be visible in the shell history, but not the secret value.
Reference:
[Write Secrets | Vault | HashiCorp Developer]
NEW QUESTION # 33
......
Get Vault-Associate Braindumps & Vault-Associate Real Exam Questions: https://www.guidetorrent.com/Vault-Associate-pdf-free-download.html
HashiCorp Vault-Associate Actual Questions and Braindumps: https://drive.google.com/open?id=141GXsCLhkRuFC19PaJTBw66OGQCRh4ul