Study Guide - Vault Operations Professional Certification
Warning
These exam preparation tutorials and the rest of learn.hashicorp.com will not be available for reference during the exam. Vault's docs and Vault's API docs will be available during the exam.
The Vault Operations Professional Certification exam has hands-on tasks that you must perform to demonstrate your knowledge, which means the only way to study for it is to practice and gain hands-on experience. The overview of exam objectives guides the topics covered in the exam. Candidates are encouraged to gain as much hands-on experience as possible to build mastery using the Vault CLI.
The exam is constructed of:
Hands-on scenarios
There are four scenarios given to you each with Linux environments to set up the Vault environments as instructed. You can perform the operational tasks using Vault CLI or UI.
- Initializing a Vault node using Integrated Storage
- Authentication methods and secret engines
- Vault Enterprise Replication
- Vault Agent and Templating
Each scenario has more than one task to perform. For convenience, the shortcut links to the SSH session and UI are provided for each node.
Initializing a Vault node using Integrated Storage
You will be tested on objectives in a scenario related to initializing Vault using the Integrated Storage (Raft) backend.
Study tips
This first hands-on scenario tests fundamental Vault operations skills.
You must demonstrate that you can create a Vault server configuration file based on a given requirements.
Understand the benefits of Vault Auto Unseal and know how to configure it.
Go through the Vault HA Cluster with Integrated Storage tutorial to understand the mechanics of setting up a HA cluster.
Initialize a Vault server. Read the Production Hardening guide and learn best practices to run a hardened production Vault server.
Authentication methods and secret engines
You will be tested on objectives related to enabling and configuring auth methods and secrets engines.
Study tips
You must demonstrate that you can enable auth methods, as well as secrets engines. Most often, these are the initial Vault setup tasks. Go through enough tutorials to be comfortable enabling and configuring auth methods and secrets engines.
Vault Enterprise Replication
You will be tested on objectives related to a scenario where you must enable and configure both Vault Enterprise Disaster Recovery (DR) Replication and Vault Enterprise Performance Replication.
Study tips
You must demonstrate that you can enable and configure Vault Enterprise Replication based on a given scenario.
Be sure you know how to:
- Set up Disaster Recovery (DR) Replication across the given Vault clusters.
- Set up Performance Replication with paths filter based on a given requirement.
Vault Agent and Templating
You will be tested on objectives related to securely configuring Vault Agent auto-auth, token sink, and templates.
Study tips
On a given client host, you must set up a Vault Agent to authenticate with Vault, and retrieve secrets. Vault Agent does not require an Enterprise binary. So, if you are not currently using Vault Agent, be sure to go through the documentation and tutorials to know how to configure a Vault Agent which enables:
Hybrid scenarios
The hybrid style scenario presents multiple-choice questions based on a given Vault environment. In order to answer the questions, you must inspect the Vault server. Any actions or changes made to the lab environment will not be considered during grading. Graded is based on choosing the correct the multiple-choice option.
Policy and Access Control
You will be tested on objectives related to ACL policies and Vault Enterprise namespaces.
Example question
Find the answers by interacting with the lab environment. Use the links in the right side navigation box to connect to the scenario5-node-xxxx node. Any actions or changes made to the Scenario 5 lab environment will not be considered in your grade. You will be graded based on your answer to the multiple choice options below.
Your organization recently adopted Vault to encrypt sensitive customer data
before storing them in the database. A web application uses the customer
key
to encrypt the data; however, Vault returns "permission denied" error. The web
application's token has webapp-1
policy attached.
Why the web app is receiving this error? Select one:
🔘 The webapp-1
policy is missing update
capability
🔘 The webapp-1
policy is missing sudo
capability
🔘 The webapp-1
policy path should be transit/keys/customer
🔘 The webapp-1
policy path should be transit/+/customer
Hints and tips
Since you will be graded based on your answer to the multiple-choice, any change you make to the policy will not affect your score. You can run Vault commands or use the UI to test and draw your conclusion.
To find the answer to this question, you must connect to the Vault environment
(scenario5-node-xxxx node) and examine the webapp-1
policy.
You might even edit the policy and generate a token to verify it.
In this case, the answer is:
✅ Correct: The webapp-1
policy is missing update
capability
❌ Incorrect: The webapp-1
policy is missing sudo
capability
❌ Incorrect: The webapp-1
policy path should be transit/keys/customer
❌ Incorrect: The webapp-1
policy path should be transit/+/customer
Be familiar with the objectives that are covered in the hybrid questions. The Review Guide lists a table of exam objectives with its corresponding documentation and the learn tutorial link.
Multiple-choice questions
The multiple-choice questions are scenario-based. You must read carefully to understand how Vault is being used to answer the questions.
You can flag the question so that you can come back later if you have enough time at the end. Don't spend too much time on a single question, and be sure to allocate enough time to go through the rest of the exam.

Once you selected your answers, click Save / Next to move forward.

Sample multiple-choice questions
Question 1
Your organization is migrating applications to run on a Kubernetes environment. This motivated the operations team to deploy Vault on Kubernetes. Which best practices does HashiCorp recommend to securely run Vault on Kubernetes? Choose two correct answers.
🔘 A: Run as root.
🔘 B: Ensure that memory lock (mlock
) is enabled to prevent memory swap.
🔘 C: Turn off core dumps inside the container to prevent possible exposure of Vault encryption keys.
🔘 D: Do not use Consul as a Vault storage backend.
🔘 E: If an intermediate load balancer exists, Vault traffic does not have to use
Transport Layer Security (TLS).
Correct answer is B and C.
❌ A: Run as root.
✅ B: Ensure that memory lock (mlock
) is enabled to prevent memory swap.
✅ C: Turn off core dumps inside the container to prevent possible exposure of
Vault encryption keys.
❌ D: Do not use Consul as a Vault storage backend.
❌ E: If an intermediate load balancer exists, Vault traffic does not have to use
Transport Layer Security (TLS).
Be sure to read the Vault on Kubernetes Security Considerations tutorial.
- You do not want to start the container as root as a security precaution.
- You want to enable
mlock
to prevent memory swap. - Disable core dumps. Otherwise, a user may force a core dump and the resulting file can potentially expose Vault encryption keys.
- Integrated Storage is recommended; however, Consul is still supported.
- When running production load, you should always use with TLS.
Question 2
Your organization's Vault environment has multiple auth methods enabled. As a result, a user may have more than one login method to authenticate with Vault. However, depending on the auth method the user chose, Vault provides a different set of access to secrets. To mitigate this issue, which of the following solutions provides a secure access to Vault while giving the user necessary permissions?
🔘 A: Create an entity for the user, and attach required policies at the entity
level so that the user's client token can inherit the appropriate policies
regardless of the auth method.
🔘 B: Share the root token with everyone who needs to manage secrets managed by
Vault.
🔘 C: Create a new Vault policy that permits all required actions and update all
auth method configuration to attach the new policy.
🔘 D: Enable the Username & Password (userpass) auth method. Create a new user and
map each of the user's entities to the newly created user.
Correct answer is A.
✅ A: Create an entity for the user, and attach required policies at the entity
level so that the user's client token can inherit the appropriate policies
regardless of the auth method.
❌ B: Share the root token with everyone who needs to manage secrets managed by
Vault.
❌ C: Create a new Vault policy that permits all required actions and update all
auth method configuration to attach the new policy.
❌ D: Enable the Username & Password (userpass) auth method. Create a new user and
map each of the user's entities to the newly created user.
Be sure to read the Identity: Entities and Groups tutorial if you are unfamiliar with Vault entities and groups.
Choice B is a bad idea. If the user does not have the appropriate knowledge, the user can accidentally delete secrets or do something worse.
The downside of choice C is the Vault admin has multiple configurations to update; therefore, it is prone to human error. Choice A is a more straightforward solution than choice C.
Choice D does not present the actual solution to the problem. It does not describe what is significant about the new user to solve the issue.
Next steps
The Review Guide lists a table of exam objectives with its corresponding documentation and the learn tutorial link. Use the table as your check-list to prepare for the exam.