Vault
Learning path - Vault Associate (002)
The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with Vault. You understand what Vault Enterprise features exist and can differentiate between Enterprise and Community Edition. You will be best prepared for this exam if you have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may be sufficient.
Prerequisites
- Basic terminal skills
- Basic understanding of on-premise or cloud architecture
- Basic level of security understanding
To learn more about the exam, visit the HashiCorp Product Certifications page.
Study for the exam
Expect to see questions associated with each exam objective. If you already have Vault experience and/or training and want to pick and choose which objectives to review before taking the exam, skip to the content list.
The sample questions help you get familiar with the format of the questions.
This learning path provides links to tutorials and documentation to learn the features that are covered in the exam.
Vault fundamentals
Objectives covered: 1a-c, 2b-c, 3a-g, 4a-c, 5a, 6a-f, 7a-e, 8a-b, 9a, 9c, 9g, 9i, 9k
You will be tested on your knowledge of Vault fundamentals which include Vault architecture, seal/unseal Vault, and how to authenticate with Vault. Complete the following tasks to ensure that you understand the Vault core concepts.
- Complete the Vault Getting Started tutorials
- Read the Introduction to Vault documentation
- Read the Vault Concepts documentation to make sure that you understand the core concepts
- Review the Overview section of the Vault Commands (CLI) documentation to understand the basic structure of CLI
Study tips
Understand the components of Vault (cryptographic barrier, storage backend, auth methods, etc.)
Secrets are encrypted by Vault's barrier; therefore, the storage backend contains the encrypted Vault data.
Storage backend: Integrated Storage questions have been added → Migration checklist gives you the comparison between Consul and Integrated Storage
Understand how seal/unseal works
Shamir's Secret Sharing algorithm (default)
Auto unseal concept (use recovery keys instead of unseal keys to regenerate a root token)
Authentication
You will be tested on your knowledge of configuring auth methods using CLI and UI.
- Understand the concept of authentication in Vault
- There are human-centric auth methods (e.g. LDAP, GitHub) as well as machine-oriented auth methods (e.g. AWS, AppRole, Kubernetes)
- Get familiar with Vault CLI to configure auth methods
- Get familiar with Vault UI to configure auth methods
- Go through the interactive tutorial attached to the AppRole Pull Authentication tutorial
Tokens
- Read the token concepts documentation
- Root tokens can be regenerated later if needed; therefore, you don't need to worry about persisting it somewhere
- Know the basics of token accessor
- When tokens are created, a token accessor is also created and returned. Use it to:
- Look up a token's properties (not including the actual token ID)
- Look up a token's capabilities on a path
- Renew the token
- Revoke the token
- The number of accessors on the Vault server is the number of tokens
- Go through the tokens tutorial
- Be familiar with the vault token sub-commands:
capabilities
,create
,lookup
,renew
,revoke
- Know the characteristics of batch tokens
- Be familiar with the vault token sub-commands:
- Understand the token's TTL and max TTL → know when a token expires and no longer renewable
Access management
Objectives covered: 2a-d, 3a-b, 3f-g, 6c, 7c, 9d-f
Vault policies allow you to control access to secrets managed by Vault. You will be tested to see if you understand Vault policy syntax and the basic commands that manage policies. Every Vault client (human users, applications, containers, etc.) must have a valid token to send authenticated requests to Vault. Do the following tasks to make sure you understand the basics of access management operations.
- Follow these 5 tutorials from the Access Management learning track:
- Read the Vault Agent documentation
Study tips
- Go through the Vault Policies tutorial
- Be aware of the use of "
*
" and "+
" in policy paths - Understand that there are built-in policies:
root
anddefault
- Keep it in mind that Vault is deny by default → No policy means no access
- Understand the challenge that Vault Agent solves
- Auto-auth allows for easy authentication and manage the lifecycle of the client token → No need to implement that in your application
- Caching allows client-side caching of tokens and leases → Reduce the latency in getting secrets from Vault
- Templates allows Vault Agent to leverage Consul Template markup → Your existing application can be Vault un-aware (no code change) while secrets are managed by Vault
Secrets management
Objectives covered: 4a-c, 5a-b, 5d, 6d-e, 7d-e, 9j-k
The secrets engines are responsible for managing secrets; therefore, they are a critical part of Vault. You will be tested on your knowledge of operating and managing secrets engines. Do the following tasks to ensure that you understand and can apply basic tasks associated with managing secrets.
- Browse the Secrets Engines section of the Vault documentation focusing on:
- Review the Secrets Management tutorials paying special attention to these 4 tutorials:
- Review the Vault product use cases. To test your understanding of Vault, some scenario-based questions will be asked
Study tips
- Read the lease, renew, and revoke documentation
- What is a lease in Vault? Lease is the secrets generated by the Vault's dynamic secrets engines (e.g. database, aws, consul) to access the target system. For example, a lease generated by the
database
secrets engine contains database username, password, duration (TTL), and more. - Use lease ID to renew or revoke a lease
- Be familiar with the
vault lease
command - Understand the lease time-to-live (TTL)
- What is a lease in Vault? Lease is the secrets generated by the Vault's dynamic secrets engines (e.g. database, aws, consul) to access the target system. For example, a lease generated by the
- Most of the questions are scenario-based to test if you can identify the common usages and benefits of secrets engines
Data encryption
Objectives covered: 5c, 10a-c
Data encryption is one of the core Vault use cases. You will be tested on your knowledge of Vault providing encryption as a service (EaaS) in transit. Do the following tasks to ensure that you have a good understanding of the EaaS use case as well as its basic functionality.
- Read the Transit section of the Secrets Engine documentation to learn its characteristics
- Follow these Data Encryption tutorials to learn its basic operation:
Study tips
- Read the Encryption as a Service: Transit Secrets Engine tutorial.
- Understand the common scenario introduced in the beginning of the tutorial, and what challenge it solves
Vault deployment architecture
Objectives covered: 9b-c, 9g-h
With Vault as your single source of secrets, it is important to understand the production deployment basics. You will be tested on your knowledge of Vault reference architecture as well as basic Vault operational tasks. Your awareness of the Vault Enterprise replication concept will be tested as well. Do the following tasks to ensure that you have a good understanding of deploying Vault in production.
Read the Architecture section of the documentation
Follow the Vault Reference Architecture guide
- Be familiar with the recommended Vault Deployment Architecture diagrams (e.g. how many nodes in a cluster)
Familiarize yourself with the Vault Enterprise features—especially Replication—by reading the documentation. Some scenario-based questions will be asked
Be aware of Enterprise Replication and what they achieve (you just need to know the concept)
Performance Replication vs. Disaster Recovery (DR) Replication
Scaling vs. Fault-tolerance
The following table shows a capability comparison between Disaster Recovery and Performance Replication.
Capability Disaster Recovery Performance Replication Mirrors the configuration of a primary cluster Yes Yes Mirrors the configuration of a primary cluster’s backends (i.e., auth methods, secrets engines, audit devices, etc.) Yes Yes Mirrors the tokens and leases for applications and users interacting with the primary cluster Yes No. Secondaries keep track of their own tokens and leases. When the secondary is promoted, applications must reauthenticate and obtain new leases from the newly-promoted primary. Allows the secondary cluster to handle client requests No Yes
Next steps
For specific study materials that cover a particular exam objective, refer to the content list. Check out the sample questions to review the exam question format.