Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. HashiCorp
  3. HCVA0-003

HashiCorp HCVA0-003 Exam (page: 8)
HashiCorp Certified: Vault Associate (003)
Updated on: 25-Dec-2025

Viewing Page 8 of 58
HCVA0-003 PDF 285 Questions

Which of the following policies would permit a user to generate dynamic credentials on a database?

  1. path "database/creds/read_only_role" { capabilities = ["generate"] }
  2. path "database/creds/read_only_role" { capabilities = ["update"] }
  3. path "database/creds/read_only_role" { capabilities = ["list"] }
  4. path "database/creds/read_only_role" { capabilities = ["read"] }

Answer(s): D

Explanation:

Comprehensive and Detailed in Depth
The Database secrets engine generates dynamic credentials for database access. The endpoint database/creds/<role> (e.g., read_only_role) provides these credentials via a read operation. Let's analyze:
Option A: capabilities = ["generate"]
There's no generate capability in Vault policies. Capabilities are create, read, update, delete, list, etc.

This is invalid. Incorrect.
Option B: capabilities = ["update"]
update (PUT) modifies existing data, not generates credentials. The creds endpoint uses GET.
Incorrect.
Option C: capabilities = ["list"]
list retrieves metadata or paths, not credential data. Incorrect.
Option D: capabilities = ["read"]
Generating dynamic credentials involves a GET request to database/creds/<role>, mapped to the read capability. This policy allows it. Correct.
Detailed Mechanics:
For a role read_only_role defined with vault write database/roles/read_only_role db_name=my-db creation_statements="CREATE USER...", a user with read on database/creds/read_only_role can run vault read database/creds/read_only_role to get temporary credentials. Vault's policy system aligns HTTP verbs to capabilities: GET = read, PUT = update. This counterintuitive mapping (GET for creation) is specific to dynamic secrets.
Overall Explanation from Vault Docs:
"Generating database credentials requires read capability on database/creds/<role>... Despite creating credentials, the HTTP request is a GET."


Reference:

https://developer.hashicorp.com/vault/tutorials/db-credentials/database-secrets



Which scenario most strongly indicates a need to run a self-hosted Vault cluster instead of using HCP Vault Dedicated?

  1. Your organization doesn't require any custom security policies or intricate network topologies
  2. You want to offload all operational tasks and rely on HashiCorp to manage patching, upgrades, and infrastructure
  3. You prefer a fully managed environment that is readily scalable with minimal configuration overhead
  4. You must maintain specific compliance or custom integration requirements that demand full control over the Vault environment, including infrastructure provisioning and plugin development

Answer(s): D

Explanation:

Comprehensive and Detailed in Depth
HCP Vault Dedicated is a managed service, while self-hosted Vault (Community or Enterprise) requires user management. Let's evaluate:
A: Simple needs favor HCP Vault's managed simplicity. Incorrect.
B: Offloading tasks aligns with HCP Vault, not self-hosted. Incorrect.
C: Managed scalability suits HCP Vault. Incorrect.
D: Compliance, custom integrations, and plugin development need full control, only possible with self-hosted Vault. Correct.
Detailed Mechanics:
Self-hosted Vault allows custom plugins, FIPS 140-2 compliance, and specific network configs (e.g., air-gapped setups), unavailable in HCP Vault Dedicated due to its standardized, managed nature.

Overall Explanation from Vault Docs:
"Self-managed Vault supports custom requirements... HCP Vault Dedicated offloads operations but limits control."


Reference:

https://developer.hashicorp.com/vault/tutorials/get-started/available-editions



From the options below, select the benefits of using a batch token over a service token (select four).

  1. Often used for ephemeral, high-performance workloads
  2. Can be a root token
  3. Can be used on performance replication clusters (if orphan)
  4. Has accessors
  5. Lightweight and scalable
  6. No storage cost for token creation

Answer(s): A,C,E,F

Explanation:

Comprehensive and Detailed in Depth
Batch tokens are lightweight alternatives to service tokens, with trade-offs. Let's analyze:
A: Designed for short-lived, high-performance tasks. Correct.
B: Cannot be root tokens; root status is service-token-specific. Incorrect.
C: Orphan batch tokens work in replication. Correct.
D: No accessors; unique to service tokens. Incorrect.
E: Minimal overhead makes them scalable. Correct.
F: No disk storage reduces cost. Correct.
Overall Explanation from Vault Docs:
"Batch tokens are encrypted blobs... lightweight, scalable, no storage cost, ideal for ephemeral workloads."


Reference:

https://developer.hashicorp.com/vault/tutorials/tokens/batch-tokens



Which of the following are accurate statements regarding the use of a KV v2 secrets engine (select three)?

  1. Issuing a vault kv destroy command permanently deletes the current version of the secret
  2. Issuing a vault kv destroy command deletes all versions of a secret
  3. Issuing a vault kv delete command performs a soft delete of the current version
  4. Issuing a vault kv metadata delete command permanently deletes the secret

Answer(s): A,C,D

Explanation:

Comprehensive and Detailed in Depth
KV v2 supports versioning. Let's evaluate:
A: destroy removes a specific version permanently. Correct.
B: destroy targets specified versions, not all. Incorrect.
C: delete soft-deletes the current version. Correct.
D: metadata delete removes all versions and metadata. Correct.
Overall Explanation from Vault Docs:
"kv delete soft-deletes... kv destroy permanently removes versions... kv metadata delete wipes everything."


Reference:

https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2



Which of the following is NOT a valid way in which a lease can be revoked in Vault?

  1. Using the user interface (UI)
  2. Automatically when the TTL or Max-TTL expires
  3. Using the API to call the /v1/sys/leases endpoint
  4. Via the CLI using the vault token command

Answer(s): D

Explanation:

Comprehensive and Detailed in Depth
Leases manage dynamic secrets' lifecycles. Let's check:
A: UI allows lease revocation. Valid.
B: TTL expiration auto-revokes leases. Valid.
C: API endpoint revokes leases. Valid.
D: vault token manages tokens, not leases directly. Invalid.
Overall Explanation from Vault Docs:
"Leases can be revoked via API, UI, CLI (vault lease revoke), or TTL expiry... vault token is for tokens."


Reference:

https://developer.hashicorp.com/vault/docs/concepts/lease



Viewing Page 8 of 58



Share your comments for HashiCorp HCVA0-003 exam with other users:

siva 5/17/2023 12:32:00 AM

very helpfull
Anonymous


mouna 9/27/2023 8:53:00 AM

good questions
Anonymous


Bhavya 9/12/2023 7:18:00 AM

help to practice csa exam
Anonymous


Malik 9/28/2023 1:09:00 PM

nice tip and well documented
Anonymous


rodrigo 6/22/2023 7:55:00 AM

i need the exam
Anonymous


Dan 6/29/2023 1:53:00 PM

please upload
Anonymous


Ale M 11/22/2023 6:38:00 PM

prepping for fsc exam
AUSTRALIA


ahmad hassan 9/6/2023 3:26:00 AM

pd1 with great experience
Anonymous


Žarko 9/5/2023 3:35:00 AM

@t it seems like azure service bus message quesues could be the best solution
UNITED KINGDOM


Shiji 10/15/2023 1:08:00 PM

helpful to check your understanding.
INDIA


Da Costa 8/27/2023 11:43:00 AM

question 128 the answer should be static not auto
Anonymous


bot 7/26/2023 6:45:00 PM

more comments here
UNITED STATES


Kaleemullah 12/31/2023 1:35:00 AM

great support to appear for exams
Anonymous


Bsmaind 8/20/2023 9:26:00 AM

useful dumps
Anonymous


Blessious Phiri 8/13/2023 8:37:00 AM

making progress
Anonymous


Nabla 9/17/2023 10:20:00 AM

q31 answer should be d i think
FRANCE


vladputin 7/20/2023 5:00:00 AM

is this real?
UNITED STATES


Nick W 9/29/2023 7:32:00 AM

q10: c and f are also true. q11: this is outdated. you no longer need ownership on a pipe to operate it
Anonymous


Naveed 8/28/2023 2:48:00 AM

good questions with simple explanation
UNITED STATES


cert 9/24/2023 4:53:00 PM

admin guide (windows) respond to malicious causality chains. when the cortex xdr agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the ip address to close all existing communication and block new connections from this ip address to the endpoint. when cortex xdrblocks an ip address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. you can view the list of all blocked ip addresses per endpoint from the action center, as well as unblock them to re-enable communication as appropriate. this module is supported with cortex xdr agent 7.3.0 and later. select the action mode to take when the cortex xdr agent detects remote malicious causality chains: enabled (default)—terminate connection and block ip address of the remote connection. disabled—do not block remote ip addresses. to allow specific and known s
Anonymous


Yves 8/29/2023 8:46:00 PM

very inciting
Anonymous


Miguel 10/16/2023 11:18:00 AM

question 5, it seems a instead of d, because: - care plan = case - patient = person account - product = product2;
SPAIN


Byset 9/25/2023 12:49:00 AM

it look like real one
Anonymous


Debabrata Das 8/28/2023 8:42:00 AM

i am taking oracle fcc certification test next two days, pls share question dumps
Anonymous


nITA KALE 8/22/2023 1:57:00 AM

i need dumps
Anonymous


CV 9/9/2023 1:54:00 PM

its time to comptia sec+
GREECE


SkepticReader 8/1/2023 8:51:00 AM

question 35 has an answer for a different question. i believe the answer is "a" because it shut off the firewall. "0" in registry data means that its false (aka off).
UNITED STATES


Nabin 10/16/2023 4:58:00 AM

helpful content
MALAYSIA


Blessious Phiri 8/15/2023 3:19:00 PM

oracle 19c is complex db
Anonymous


Sreenivas 10/24/2023 12:59:00 AM

helpful for practice
Anonymous


Liz 9/11/2022 11:27:00 PM

support team is fast and deeply knowledgeable. i appreciate that a lot.
UNITED STATES


Namrata 7/15/2023 2:22:00 AM

helpful questions
Anonymous


lipsa 11/8/2023 12:54:00 PM

thanks for question
Anonymous


Eli 6/18/2023 11:27:00 PM

the software is provided for free so this is a big change. all other sites are charging for that. also that fucking examtopic site that says free is not free at all. you are hit with a pay-wall.
EUROPEAN UNION