Study guide - Vault operations professional certification

10min
|
Vault

Warning

These exam preparation tutorials will not be available for reference during the exam. Only Vault's docs and Vault's API docs will be available during the exam.

The Vault Operations Professional Certification exam asks you to perform hands-on tasks to demonstrate your knowledge, which means the only way to study for it is to practice and gain hands-on experience. Candidates are encouraged to gain as much hands-on experience as possible to build mastery using the Vault CLI.

The exam contains:

Platform screenshot

Hands-on scenarios

The exam features different scenarios, each with their own Linux environments, where you will set up the Vault environments as instructed. You can perform the operational tasks using the Vault CLI or UI. The following list includes the scenario topics you may encounter in your exam.

Each scenario has more than one task to perform. For convenience, the shortcut links to the SSH session and UI are provided for each node.

Integrated Storage

You will be tested on objectives in a scenario related to configuring a Vault server with Integrated Storage (Raft).

Study tips

Integrated Storage is the recommended Vault storage backend. Therefore, the exam configures Vault with Integrated Storage throughout. Regardless of the storage backend you use today, be familiar with Integrated Storage.

You must demonstrate that you can create a Vault server configuration file based on a given requirements.
Understand the benefits of Vault Auto Unseal and know how to configure it.
Go through the Vault HA Cluster with Integrated Storage tutorial to understand the mechanics of setting up a HA cluster.
- Data snapshot for recovery
Start and initialize a Vault server using the server configuration you created.
- PGP encrypted key shares
- Know how to rekey Vault and rotate encryption keys

Authentication methods and secret engines

You will be tested on objectives related to enabling and configuring auth methods and secrets engines.

Study tips

Go through enough tutorials to be comfortable enabling and configuring auth methods and secrets engines.
Auth Methods tutorials
Secrets Management tutorials

Vault Enterprise Replication

You will be tested on objectives related to enabling and configuring both Vault Enterprise Disaster Recovery (DR) Replication and Vault Enterprise Performance Replication.

Study tips

Be sure you know how to:

Enable and configure Vault Enterprise Replication.
Set up Disaster Recovery (DR) Replication across the given Vault clusters.
Set up Performance Replication with paths filter based on a given requirement.

Vault Agent and Templating

You will be tested on objectives related to securely configuring Vault Agent auto-auth, token sink, and templates.

Study tips

On a given client host, you must set up a Vault Agent to authenticate with Vault and retrieve secrets. Vault Agent does not require an Enterprise binary.
If you are not currently using Vault Agent, go through the documentation and tutorials to know how to configure a Vault Agent that enables:

Policy and access control

You will be tested on objectives related to ACL policies and Vault Enterprise namespaces.

Study tips

You need to know how to write ACL policies based on a given requirement. For example, if the requirement is to allow permission to list enabled auth methods, what policy path and capabilities you must set.

Answer

path "sys/auth" {
   capabilities = [ "read" ]
}

You can use the -output-policy flag.

$ vault auth list -output-policy
path "sys/auth" {
  capabilities = ["read"]
}

The following tutorials help to practice authoring policies:

Policies tutorial has an interactive tutorial environment
Vault Policies
Write a Policy using API documentation

Hybrid scenarios

The hybrid scenarios present multiple-choice questions based on a given Vault environment. In order to answer the questions, you must inspect the Vault server. Any actions or changes made to the lab environment will not be considered during grading. Grading is based on choosing the correct multiple-choice option.

Example question

Find the answers by interacting with the lab environment. Use the links in the right side navigation box to connect to the scenario-node-xxxx node. Any actions or changes made to the Scenario lab environment will not be considered in your grade. You will be graded based on your answer to the multiple-choice options below.

Your organization recently adopted Vault to encrypt sensitive customer data before storing them in the database. A web application uses the customer key to encrypt the data; however, Vault returns a "permission denied" error. The web application's token has the webapp-1 policy attached.

Why is the web app receiving this error? Select one:

🔘 The webapp-1 policy is missing update capability
🔘 The webapp-1 policy is missing sudo capability
🔘 The webapp-1 policy path should be transit/keys/customer
🔘 The webapp-1 policy path should be transit/+/customer

Hints and tips

Since you will only be graded based on your answer to the multiple-choice question, any change you make to the policy will not affect your score. You can run Vault commands or use the UI to test ideas and reach your conclusion.

To find the answer to this question, you must connect to the Vault environment (scenario5-node-xxxx node) and examine the webapp-1 policy.

$ vault policy read webapp-1

path "transit/encrypt/customer" {
   capabilities = [ "create", "read" ]
}

path "transit/decrypt/customer" {
   capabilities = [ "create", "read" ]
}

You might even edit the policy and generate a token to verify it.

$ vault token create -policy=webapp-1
Key                  Value
---                  -----
token                s.y57ojkoxGy50GvrvIGHlyfcr
token_accessor       tuBBfq5QTUnlFU8edAQGsYQU
token_duration       768h
token_renewable      true
token_policies       ["default" "webapp-1"]
identity_policies    []
policies             ["default" "webapp-1"]

$ VAULT_TOKEN="s.y57ojkoxGy50GvrvIGHlyfcr" vault write transit/encrypt/customer \
    plaintext=$(base64 <<< "This is a test")

In this case, the answer is:

✅ Correct: The webapp-1 policy is missing update capability
❌ Incorrect: The webapp-1 policy is missing sudo capability
❌ Incorrect: The webapp-1 policy path should be transit/keys/customer
❌ Incorrect: The webapp-1 policy path should be transit/+/customer

Familiarize yourself with exam objectives by using the Review Guide. The table lists all exam objectives and provides corresponding documentation and tutorial links.

Multiple-choice questions

The multiple-choice questions ask you to apply your expertise and judgement in different situations and scenarios. You must read carefully to understand how Vault is being used to answer the questions.

You can flag the question so that you can come back later if you have enough time. Don't spend too much time on a single question, and be sure to allocate enough time to go through the rest of the exam.

Once you select your answers, click Save / Next to move forward.

Sample multiple-choice questions

Question 1

Your organization is migrating applications to run on a Kubernetes environment. This motivated the operations team to deploy Vault on Kubernetes. Which best practices does HashiCorp recommend to securely run Vault on Kubernetes? Choose two correct answers.

🔘 A: Run as root.
🔘 B: Ensure that memory lock (mlock) is enabled to prevent memory swap.
🔘 C: Turn off core dumps inside the container to prevent possible exposure of Vault encryption keys.
🔘 D: Do not use Consul as a Vault storage backend.
🔘 E: If an intermediate load balancer exists, Vault traffic does not have to use Transport Layer Security (TLS).

Answer

Correct answers are B and C.

❌ A: Run as root.
✅ B: Ensure that memory lock (mlock) is enabled to prevent memory swap.
✅ C: Turn off core dumps inside the container to prevent possible exposure of Vault encryption keys.
❌ D: Do not use Consul as a Vault storage backend.
❌ E: If an intermediate load balancer exists, Vault traffic does not have to use Transport Layer Security (TLS).

Be sure to read the Vault on Kubernetes Security Considerations tutorial.

You do not want to start the container as root as a security precaution.
You want to enable mlock to prevent memory swap.
Disable core dumps. Otherwise, a user may force a core dump and the resulting file can potentially expose Vault encryption keys.
Integrated Storage is recommended; however, Consul is still supported.
When running production load, you should always use with TLS.

Question 2

Your organization's Vault environment has multiple auth methods enabled. As a result, a user may have more than one login method to authenticate with Vault. However, depending on the auth method the user chose, Vault provides a different set of access to secrets. To mitigate this issue, which of the following solutions provides a secure access to Vault while giving the user necessary permissions?

🔘 A: Create an entity for the user, and attach required policies at the entity level so that the user's client token can inherit the appropriate policies regardless of the auth method.
🔘 B: Share the root token with everyone who needs to manage secrets managed by Vault.
🔘 C: Create a new Vault policy that permits all required actions and update all auth method configuration to attach the new policy.
🔘 D: Enable the Username & Password (userpass) auth method. Create a new user and map each of the user's entities to the newly created user.

Answer

Correct answer is A.

✅ A: Create an entity for the user, and attach required policies at the entity level so that the user's client token can inherit the appropriate policies regardless of the auth method.
❌ B: Share the root token with everyone who needs to manage secrets managed by Vault.
❌ C: Create a new Vault policy that permits all required actions and update all auth method configuration to attach the new policy.
❌ D: Enable the Username & Password (userpass) auth method. Create a new user and map each of the user's entities to the newly created user.

Be sure to read the Identity: Entities and Groups tutorial if you are unfamiliar with Vault entities and groups.

Choice B is a bad idea. If the user does not have the appropriate knowledge, the user can accidentally delete secrets or do something worse.
The downside of choice C is the Vault admin has multiple configurations to update; therefore, it is prone to human error. Choice A is a more straightforward solution than choice C.
Choice D does not present the actual solution to the problem. It does not describe what is significant about the new user to solve the issue.

Next steps

The Review Guide lists the exam objectives with links to corresponding documentation and tutorials. Use the table as your checklist to prepare for the exam.

Vault ops pro certification overview

Vault ops pro certification review guide