Vault
Learning path - Vault Operations Professional
Warning
These exam preparation tutorials will not be available for reference during the exam. Vault's docs and Vault's API docs
The Vault Operations Professional Certification exam asks you to perform hands-on tasks to demonstrate your knowledge, which means the only way to study for it is to practice and gain hands-on experience. Candidates are encouraged to gain as much hands-on experience as possible to build mastery using the Vault CLI.
The exam contains:
Hands-on scenarios
The exam features different scenarios, each with their own Linux environments, where you will set up the Vault environments as instructed. You can perform the operational tasks using the Vault CLI or UI. The following list includes the scenario topics you may encounter in your exam.
- Integrated Storage
- Authentication methods and secret engines
- Vault Enterprise Replication
- Vault Agent and Templating
- Policy and access control
Each scenario has more than one task to perform. For convenience, the shortcut links to the SSH session and UI are provided for each node.
Integrated Storage
You will be tested on objectives in a scenario related to configuring a Vault server with Integrated Storage (Raft).
Study tips
Integrated Storage is the recommended Vault storage backend. Therefore, the exam configures Vault with Integrated Storage throughout. Regardless of the storage backend you use today, be familiar with Integrated Storage.
You must demonstrate that you can create a Vault server configuration file based on a given requirements.
Understand the benefits of Vault Auto Unseal and know how to configure it.
Go through the Vault HA Cluster with Integrated Storage tutorial to understand the mechanics of setting up a HA cluster.
Start and initialize a Vault server using the server configuration you created.
- Know how to rekey Vault and rotate the encryption key
Authentication methods and secret engines
You will be tested on objectives related to enabling and configuring auth methods and secrets engines.
Study tips
Go through enough tutorials to be comfortable enabling and configuring auth methods and secrets engines.
Vault Enterprise Replication
You will be tested on objectives related to enabling and configuring both Vault Enterprise Disaster Recovery (DR) Replication and Vault Enterprise Performance Replication.
Study tips
Be sure you know how to:
Enable and configure Vault Enterprise Replication.
Set up Disaster Recovery (DR) Replication across the given Vault clusters.
Set up Performance Replication with paths filter based on a given requirement.
Vault Agent and Templating
You will be tested on objectives related to securely configuring Vault Agent auto-auth, token sink, and templates.
Study tips
On a given client host, you must set up a Vault Agent to authenticate with Vault and retrieve secrets. Vault Agent does not require an Enterprise binary.
If you are not currently using Vault Agent, go through the documentation and tutorials to know how to configure a Vault Agent that enables:
Policy and access control
You will be tested on objectives related to ACL policies and Vault Enterprise namespaces.
Study tips
You need to know how to write ACL policies based on a given requirement. For
example, if the requirement is to allow permission to list enabled auth methods,
what policy path and capabilities you must set.
path "sys/auth" {
capabilities = [ "read" ]
}
You can use the -output-policy flag.
$ vault auth list -output-policy
path "sys/auth" {
capabilities = ["read"]
}
The following tutorials help to practice authoring policies:
- Policies tutorial has an interactive tutorial environment
- Vault Policies
- Write a Policy using API documentation
Hybrid scenarios
The hybrid scenarios present multiple-choice questions based on a given Vault environment. In order to answer the questions, you must inspect the Vault server. Any actions or changes made to the lab environment will not be considered during grading. Grading is based on choosing the correct multiple-choice option.
Example question
Find the answers by interacting with the lab environment. Use the links in the right side navigation box to connect to the scenario-node-xxxx node. Any actions or changes made to the Scenario lab environment will not be considered in your grade. You will be graded based on your answer to the multiple-choice options below.
Your organization recently adopted Vault to encrypt sensitive customer data
before storing them in the database. A web application uses the customer key
to encrypt the data; however, Vault returns a "permission denied" error. The web
application's token has the webapp-1 policy attached.
Why is the web app receiving this error? Select one:
š The webapp-1 policy is missing update capability
š The webapp-1 policy is missing sudo capability
š The webapp-1 policy path should be transit/keys/customer
š The webapp-1 policy path should be transit/+/customer
Hints and tips
Since you will only be graded based on your answer to the multiple-choice question, any change you make to the policy will not affect your score. You can run Vault commands or use the UI to test ideas and reach your conclusion.
To find the answer to this question, you must connect to the Vault environment
(scenario5-node-xxxx node) and examine the webapp-1 policy.
$ vault policy read webapp-1
path "transit/encrypt/customer" {
capabilities = [ "create", "read" ]
}
path "transit/decrypt/customer" {
capabilities = [ "create", "read" ]
}
You might even edit the policy and generate a token to verify it.
$ vault token create -policy=webapp-1
Key Value
--- -----
token s.y57ojkoxGy50GvrvIGHlyfcr
token_accessor tuBBfq5QTUnlFU8edAQGsYQU
token_duration 768h
token_renewable true
token_policies ["default" "webapp-1"]
identity_policies []
policies ["default" "webapp-1"]
$ VAULT_TOKEN="s.y57ojkoxGy50GvrvIGHlyfcr" vault write transit/encrypt/customer \
plaintext=$(base64 <<< "This is a test")
In this case, the answer is:
ā
Correct: The webapp-1 policy is missing update capability
ā Incorrect: The webapp-1 policy is missing sudo capability
ā Incorrect: The webapp-1 policy path should be transit/keys/customer
ā Incorrect: The webapp-1 policy path should be transit/+/customer
Familiarize yourself with exam objectives by using the Review Guide. The table lists all exam objectives and provides corresponding documentation and tutorial links.
Multiple-choice questions
The multiple-choice questions ask you to apply your expertise and judgement in different situations and scenarios. You must read carefully to understand how Vault is being used to answer the questions.
You can flag the question so that you can come back later if you have enough time. Don't spend too much time on a single question, and be sure to allocate enough time to go through the rest of the exam.
Once you select your answers, click Save / Next to move forward.
Next steps
The content list lists the exam objectives with links to corresponding documentation and tutorials. See a video tour of the exam environment and view more practice questions on the exam orientation page.