Study Guide - Vault Operations Professional Certification

The Vault Operations Professional Certification exam has hands-on tasks that you must perform to demonstrate your knowledge, which means the only way to study for it is to practice and gain hands-on experience. The overview of exam objectives guides the topics covered in the exam. Candidates are encouraged to gain as much hands-on experience as possible to build mastery using the Vault CLI.

The exam is constructed of:

• Hands-on scenarios
• Hybrid scenarios
• Multiple-choice questions

Hands-on scenarios

There are four scenarios given to you each with Linux environments to set up the Vault environments as instructed. You can perform the operational tasks using Vault CLI or UI.

1. Initializing a Vault node using Integrated Storage
2. Authentication methods and secret engines
3. Vault Enterprise Replication
4. Vault Agent and Templating

Each scenario has more than one task to perform. For convenience, the shortcut links to the SSH session and UI are provided for each node.

Initializing a Vault node using Integrated Storage

You will be tested on objectives in a scenario related to initializing Vault using the Integrated Storage (Raft) backend.

Study tips

This first hands-on scenario tests fundamental Vault operations skills.

• You must demonstrate that you can create a Vault server configuration file based on a given requirements.

• Understand the benefits of Vault Auto Unseal and know how to configure it.

• Go through the Vault HA Cluster with Integrated Storage tutorial to understand the mechanics of setting up a HA cluster.

• Initialize a Vault server. Read the Production Hardening guide and learn best practices to run a hardened production Vault server.

Authentication methods and secret engines

You will be tested on objectives related to enabling and configuring auth methods and secrets engines.

Study tips

You must demonstrate that you can enable auth methods, as well as secrets engines. Most often, these are the initial Vault setup tasks. Go through enough tutorials to be comfortable enabling and configuring auth methods and secrets engines.

• Auth Methods tutorials
• Secrets Management tutorials

Vault Enterprise Replication

You will be tested on objectives related to a scenario where you must enable and configure both Vault Enterprise Disaster Recovery (DR) Replication and Vault Enterprise Performance Replication.

Study tips

You must demonstrate that you can enable and configure Vault Enterprise Replication based on a given scenario.

Be sure you know how to:

• Set up Disaster Recovery (DR) Replication across the given Vault clusters.
• Set up Performance Replication with paths filter based on a given requirement.

Vault Agent and Templating

You will be tested on objectives related to securely configuring Vault Agent auto-auth, token sink, and templates.

Study tips

On a given client host, you must set up a Vault Agent to authenticate with Vault, and retrieve secrets. Vault Agent does not require an Enterprise binary. So, if you are not currently using Vault Agent, be sure to go through the documentation and tutorials to know how to configure a Vault Agent which enables:

• Vault Agent Auto-Auth
• Vault Agent Templates

Hybrid scenarios

The hybrid style scenario presents multiple-choice questions based on a given Vault environment. In order to answer the questions, you must inspect the Vault server. Any actions or changes made to the lab environment will not be considered during grading. Graded is based on choosing the correct the multiple-choice option.

Policy and Access Control

You will be tested on objectives related to ACL policies and Vault Enterprise namespaces.

Example question

Your organization recently adopted Vault to encrypt sensitive customer data before storing them in the database. A web application uses the customer key to encrypt the data; however, Vault returns "permission denied" error. The web application's token has webapp-1 policy attached.

Why the web app is receiving this error? Select one:

🔘 The webapp-1 policy is missing update capability
🔘 The webapp-1 policy is missing sudo capability
🔘 The webapp-1 policy path should be transit/keys/customer
🔘 The webapp-1 policy path should be transit/+/customer

Hints and tips

Since you will be graded based on your answer to the multiple-choice, any change you make to the policy will not affect your score. You can run Vault commands or use the UI to test and draw your conclusion.

To find the answer to this question, you must connect to the Vault environment (scenario5-node-xxxx node) and examine the webapp-1 policy.

$ vault policy read webapp-1

path "transit/encrypt/customer" {
   capabilities = [ "create", "read" ]
}

path "transit/decrypt/customer" {
   capabilities = [ "create", "read" ]
}

You might even edit the policy and generate a token to verify it.

$ vault token create -policy=webapp-1
Key                  Value
---                  -----
token                s.y57ojkoxGy50GvrvIGHlyfcr
token_accessor       tuBBfq5QTUnlFU8edAQGsYQU
token_duration       768h
token_renewable      true
token_policies       ["default" "webapp-1"]
identity_policies    []
policies             ["default" "webapp-1"]

$ VAULT_TOKEN="s.y57ojkoxGy50GvrvIGHlyfcr" vault write transit/encrypt/customer \
    plaintext=$(base64 <<< "This is a test")

In this case, the answer is:

✅ Correct: The webapp-1 policy is missing update capability
❌ Incorrect: The webapp-1 policy is missing sudo capability
❌ Incorrect: The webapp-1 policy path should be transit/keys/customer
❌ Incorrect: The webapp-1 policy path should be transit/+/customer

Be familiar with the objectives that are covered in the hybrid questions. The Review Guide lists a table of exam objectives with its corresponding documentation and the learn tutorial link.

Multiple-choice questions

The multiple-choice questions are scenario-based. You must read carefully to understand how Vault is being used to answer the questions.

You can flag the question so that you can come back later if you have enough time at the end. Don't spend too much time on a single question, and be sure to allocate enough time to go through the rest of the exam.

Once you selected your answers, click Save / Next to move forward.

Sample multiple-choice questions

Question 1

Your organization is migrating applications to run on a Kubernetes environment. This motivated the operations team to deploy Vault on Kubernetes. Which best practices does HashiCorp recommend to securely run Vault on Kubernetes? Choose two correct answers.

🔘 A: Run as root.
🔘 B: Ensure that memory lock (mlock) is enabled to prevent memory swap.
🔘 C: Turn off core dumps inside the container to prevent possible exposure of Vault encryption keys.
🔘 D: Do not use Consul as a Vault storage backend.
🔘 E: If an intermediate load balancer exists, Vault traffic does not have to use Transport Layer Security (TLS).

Question 2

Your organization's Vault environment has multiple auth methods enabled. As a result, a user may have more than one login method to authenticate with Vault. However, depending on the auth method the user chose, Vault provides a different set of access to secrets. To mitigate this issue, which of the following solutions provides a secure access to Vault while giving the user necessary permissions?

🔘 A: Create an entity for the user, and attach required policies at the entity level so that the user's client token can inherit the appropriate policies regardless of the auth method.
🔘 B: Share the root token with everyone who needs to manage secrets managed by Vault.
🔘 C: Create a new Vault policy that permits all required actions and update all auth method configuration to attach the new policy.
🔘 D: Enable the Username & Password (userpass) auth method. Create a new user and map each of the user's entities to the newly created user.

Next steps

The Review Guide lists a table of exam objectives with its corresponding documentation and the learn tutorial link. Use the table as your check-list to prepare for the exam.