Study guide - Vault operations professional certification
Warning
These exam preparation tutorials will not be available for reference during the exam. Only Vault's docs and Vault's API docs will be available during the exam.
The Vault Operations Professional Certification exam asks you to perform hands-on tasks to demonstrate your knowledge, which means the only way to study for it is to practice and gain hands-on experience. Candidates are encouraged to gain as much hands-on experience as possible to build mastery using the Vault CLI.
The exam contains:
Hands-on scenarios
The exam features different scenarios, each with their own Linux environments, where you will set up the Vault environments as instructed. You can perform the operational tasks using the Vault CLI or UI. The following list includes the scenario topics you may encounter in your exam.
- Integrated Storage
- Authentication methods and secret engines
- Vault Enterprise Replication
- Vault Agent and Templating
- Policy and access control
Each scenario has more than one task to perform. For convenience, the shortcut links to the SSH session and UI are provided for each node.
Integrated Storage
You will be tested on objectives in a scenario related to configuring a Vault server with Integrated Storage (Raft).
Study tips
Integrated Storage is the recommended Vault storage backend. Therefore, the exam configures Vault with Integrated Storage throughout. Regardless of the storage backend you use today, be familiar with Integrated Storage.
You must demonstrate that you can create a Vault server configuration file based on a given requirements.
Understand the benefits of Vault Auto Unseal and know how to configure it.
Go through the Vault HA Cluster with Integrated Storage tutorial to understand the mechanics of setting up a HA cluster.
Start and initialize a Vault server using the server configuration you created.
Authentication methods and secret engines
You will be tested on objectives related to enabling and configuring auth methods and secrets engines.
Study tips
Go through enough tutorials to be comfortable enabling and configuring auth methods and secrets engines.
Vault Enterprise Replication
You will be tested on objectives related to enabling and configuring both Vault Enterprise Disaster Recovery (DR) Replication and Vault Enterprise Performance Replication.
Study tips
Be sure you know how to:
Enable and configure Vault Enterprise Replication.
Set up Disaster Recovery (DR) Replication across the given Vault clusters.
Set up Performance Replication with paths filter based on a given requirement.
Vault Agent and Templating
You will be tested on objectives related to securely configuring Vault Agent auto-auth, token sink, and templates.
Study tips
On a given client host, you must set up a Vault Agent to authenticate with Vault and retrieve secrets. Vault Agent does not require an Enterprise binary.
If you are not currently using Vault Agent, go through the documentation and tutorials to know how to configure a Vault Agent that enables:
Policy and access control
You will be tested on objectives related to ACL policies and Vault Enterprise namespaces.
Study tips
You need to know how to write ACL policies based on a given requirement. For
example, if the requirement is to allow permission to list enabled auth methods,
what policy path
and capabilities
you must set.
You can use the -output-policy
flag.
The following tutorials help to practice authoring policies:
- Policies tutorial has an interactive tutorial environment
- Vault Policies
- Write a Policy using API documentation
Hybrid scenarios
The hybrid scenarios present multiple-choice questions based on a given Vault environment. In order to answer the questions, you must inspect the Vault server. Any actions or changes made to the lab environment will not be considered during grading. Grading is based on choosing the correct multiple-choice option.
Example question
Find the answers by interacting with the lab environment. Use the links in the right side navigation box to connect to the scenario-node-xxxx node. Any actions or changes made to the Scenario lab environment will not be considered in your grade. You will be graded based on your answer to the multiple-choice options below.
Your organization recently adopted Vault to encrypt sensitive customer data
before storing them in the database. A web application uses the customer
key
to encrypt the data; however, Vault returns a "permission denied" error. The web
application's token has the webapp-1
policy attached.
Why is the web app receiving this error? Select one:
🔘 The webapp-1
policy is missing update
capability
🔘 The webapp-1
policy is missing sudo
capability
🔘 The webapp-1
policy path should be transit/keys/customer
🔘 The webapp-1
policy path should be transit/+/customer
Hints and tips
Since you will only be graded based on your answer to the multiple-choice question, any change you make to the policy will not affect your score. You can run Vault commands or use the UI to test ideas and reach your conclusion.
To find the answer to this question, you must connect to the Vault environment
(scenario5-node-xxxx node) and examine the webapp-1
policy.
You might even edit the policy and generate a token to verify it.
In this case, the answer is:
✅ Correct: The webapp-1
policy is missing update
capability
❌ Incorrect: The webapp-1
policy is missing sudo
capability
❌ Incorrect: The webapp-1
policy path should be transit/keys/customer
❌ Incorrect: The webapp-1
policy path should be transit/+/customer
Familiarize yourself with exam objectives by using the Review Guide. The table lists all exam objectives and provides corresponding documentation and tutorial links.
Multiple-choice questions
The multiple-choice questions ask you to apply your expertise and judgement in different situations and scenarios. You must read carefully to understand how Vault is being used to answer the questions.
You can flag the question so that you can come back later if you have enough time. Don't spend too much time on a single question, and be sure to allocate enough time to go through the rest of the exam.

Once you select your answers, click Save / Next to move forward.

Sample multiple-choice questions
Question 1
Your organization is migrating applications to run on a Kubernetes environment. This motivated the operations team to deploy Vault on Kubernetes. Which best practices does HashiCorp recommend to securely run Vault on Kubernetes? Choose two correct answers.
🔘 A: Run as root.
🔘 B: Ensure that memory lock (mlock
) is enabled to prevent memory swap.
🔘 C: Turn off core dumps inside the container to prevent possible exposure of Vault encryption keys.
🔘 D: Do not use Consul as a Vault storage backend.
🔘 E: If an intermediate load balancer exists, Vault traffic does not have to use
Transport Layer Security (TLS).
Correct answers are B and C.
❌ A: Run as root.
✅ B: Ensure that memory lock (mlock
) is enabled to prevent memory swap.
✅ C: Turn off core dumps inside the container to prevent possible exposure of
Vault encryption keys.
❌ D: Do not use Consul as a Vault storage backend.
❌ E: If an intermediate load balancer exists, Vault traffic does not have to use
Transport Layer Security (TLS).
Be sure to read the Vault on Kubernetes Security Considerations tutorial.
- You do not want to start the container as root as a security precaution.
- You want to enable
mlock
to prevent memory swap. - Disable core dumps. Otherwise, a user may force a core dump and the resulting file can potentially expose Vault encryption keys.
- Integrated Storage is recommended; however, Consul is still supported.
- When running production load, you should always use with TLS.
Question 2
Your organization's Vault environment has multiple auth methods enabled. As a result, a user may have more than one login method to authenticate with Vault. However, depending on the auth method the user chose, Vault provides a different set of access to secrets. To mitigate this issue, which of the following solutions provides a secure access to Vault while giving the user necessary permissions?
🔘 A: Create an entity for the user, and attach required policies at the entity
level so that the user's client token can inherit the appropriate policies
regardless of the auth method.
🔘 B: Share the root token with everyone who needs to manage secrets managed by
Vault.
🔘 C: Create a new Vault policy that permits all required actions and update all
auth method configuration to attach the new policy.
🔘 D: Enable the Username & Password (userpass) auth method. Create a new user and
map each of the user's entities to the newly created user.
Correct answer is A.
✅ A: Create an entity for the user, and attach required policies at the entity
level so that the user's client token can inherit the appropriate policies
regardless of the auth method.
❌ B: Share the root token with everyone who needs to manage secrets managed by
Vault.
❌ C: Create a new Vault policy that permits all required actions and update all
auth method configuration to attach the new policy.
❌ D: Enable the Username & Password (userpass) auth method. Create a new user and
map each of the user's entities to the newly created user.
Be sure to read the Identity: Entities and Groups tutorial if you are unfamiliar with Vault entities and groups.
Choice B is a bad idea. If the user does not have the appropriate knowledge, the user can accidentally delete secrets or do something worse.
The downside of choice C is the Vault admin has multiple configurations to update; therefore, it is prone to human error. Choice A is a more straightforward solution than choice C.
Choice D does not present the actual solution to the problem. It does not describe what is significant about the new user to solve the issue.
Next steps
The Review Guide lists the exam objectives with links to corresponding documentation and tutorials. Use the table as your checklist to prepare for the exam.