HashiCorp Vault Associate (VA-003): Complete Guide (2026)

Vault Associate is an entry-level certification that tests breadth across Vault's core architecture, authentication and authorization, Secrets Engines, lease management, data protection (Transit and friends), and operational auditing.

This article summarizes the exam scope, the scoring philosophy, the practical side of registration, and where to focus your study. For the latest information, always defer to the official documentation and certification page (https://developer.hashicorp.com/vault / https://developer.hashicorp.com/certifications/security-automation).

Exam Overview and How to Think About Scoring

Vault Associate is primarily multiple choice (single- and multi-select), with questions distributed across the blueprint's domains. The question count, time limit, and passing score can be revised, so confirm them on the official certification page right before booking.

Scoring is shaped by the domain weightings; individual questions are not necessarily equal. There is generally no partial credit. Reserve time for review and answer the questions you can fully solve first.

Questions are delivered in English by default (UI language and dictionary allowances follow the testing platform's terms)
Cross-domain scenario questions are common (e.g., questions that combine authentication and leases)
Prioritize understanding Vault's principles (separation of Auth and Secrets, policy evaluation, leases and revocation) over rote memorization of individual features

Exam Domain	Approx. Weight	Representative Topics	Practice Focus
Authentication / Authorization (Auth, Token, Policy)	20–30%	Enabling Auth methods, login flows, token types, policy HCL	Design least-privilege access with AppRole / Kubernetes
Secrets Engines and Leases	20–30%	KV v2, dynamic secrets, TTL / Max TTL, revocation	Walk through lease issue, renew, and revoke via the CLI
Data Protection (Transit, etc.)	10–20%	Encryption / decryption, sign / verify, response wrapping	Run through Transit key management and wrap / unwrap end-to-end
Operations (Init, Seal, HA, Storage)	10–20%	init / unseal, Raft (Integrated Storage), auto-unseal	Compare `vault status` output between dev mode and Raft
Auditing, Observability, Troubleshooting	5–10%	Audit devices, log formats, common errors	Trace request / response IDs in the audit log
HCP / Ecosystem Awareness	5–10%	HCP Vault operational boundaries, Vault Agent, templates	Understand a minimal Vault Agent caching / template setup

Vault Associate exam map (how the concepts connect)

Minimum hands-on warm-up before the exam: check version and status

vault --version
VAULT_ADDR=http://127.0.0.1:8200 vault status
# If a dev server is running, you can see Seal Type / Key Shares / HA Mode, etc.

Vault Core Architecture and Operational Essentials

Vault ships as a single binary that bundles storage, an API server, and the crypto core. Integrated Storage (Raft) is the most common storage backend, and HA setups run a leader election. Initialization (`init`) generates the master key, and seal / unseal control how key material is handled.

The exam frequently asks about the init / unseal flow, the difference between Raft and external storage, the auto-unseal concept, and how to read `vault status` output.

Run `init` only once; from then on, start the cluster with `unseal`
While sealed, the API responds only to health checks
Raft keeps a consistent log inside the servers; snapshots and peer management are the key operational points

Seal / Unseal Method	Key Location	Characteristics	Exam Hot Spot
Shamir (manual unseal)	Recovery keys are split among multiple people	Unseal once the threshold is met	Be able to explain `key-shares` and `key-threshold`
Auto Unseal (KMS, etc.)	Encryption key delegated to an external KMS	Automatic unseal at startup	Note that KMS availability affects startup
Recovery Keys (Enterprise / HCP)	Keys for recovery during incidents	Recovery path separate from root	Understand the intent of separating recovery rights from day-to-day operations

HA cluster overview with Raft

Shortest init-and-unseal sequence (for lab use)

# Initialize (1/1 setup for study)
vault operator init -key-shares=1 -key-threshold=1 > init.out
UNSEAL_KEY=$(grep 'Unseal Key 1:' init.out | awk '{print $4}')
ROOT_TOKEN=$(grep 'Initial Root Token:' init.out | awk '{print $4}')

# Unseal and log in
vault operator unseal "$UNSEAL_KEY"
vault login "$ROOT_TOKEN"

# Check status
vault status

The Core of Authentication (Auth) and Authorization (Policy)

In Vault, the Auth Method proves who you are, and policies decide what you can do. Tokens are short-lived containers of permissions, with parent-child inheritance and TTLs controlling how long those permissions live.

The exam asks whether you can pick the right Auth method per scenario, distinguish token types (service / batch, etc.), and apply the policy path syntax (capabilities) to the right context.

Auth choice is workload-specific (human vs. machine, inside or outside Kubernetes, cloud IAM integration)
Policies are designed by stacking allow rules; `deny` is associated with Enterprise features
Never use the root token routinely; revoke it after initial setup or store it under strict controls

Auth Method	Primary Use	Strengths	Exam Angle
userpass	Human-driven PoC / study	Simple, easy to deploy	Not suitable for production; password rotation overhead
AppRole	Server-to-server, batch jobs	Issuance control via RoleID / SecretID	Wrapped distribution and CIDR restrictions; design issuance counts and TTLs
Kubernetes	Kubernetes Pods	Auto-verifies ServiceAccount tokens	Per-pod ServiceAccount boundaries and policy binding
Cloud (AWS / GCP / Azure)	Cloud-native workloads	IAM-based attestation and short-lived tokens	Metadata verification and bind condition consistency

AppRole vs. Kubernetes authentication flow

Minimal example: defining a policy and enabling an Auth method

# Policy (read-only)
cat > readonly.hcl <<'EOF'
path "kv/data/app/*" {
  capabilities = ["read", "list"]
}
EOF
vault policy write app-read readonly.hcl

# Create the KV v2 mount and a path the policy targets
vault secrets enable -path=kv kv-v2
vault kv put kv/app/config api_key=redacted

# Enable AppRole and create a role
vault auth enable approle
vault write auth/approle/role/app-role token_policies="app-read" token_ttl=1h token_max_ttl=4h
vault read -field=role_id auth/approle/role/app-role/role-id
vault write -f -field=wrapping_token -wrap-ttl=5m auth/approle/role/app-role/secret-id

Secrets Engines and Lease Management (Renew / Revoke)

KV provides static secrets (with versioning), while Database and Cloud engines provide dynamic secrets (issued on demand and invalidated at expiration). Vault attaches a lease to every credential it issues and combines TTL, Max TTL, and Explicit Max TTL to control its lifetime.

The exam frequently asks about the difference between renew and revoke, cascading child-lease revocation when a parent token is revoked, and the difference between KV v2's data path and metadata path.

Lease renewals cannot exceed the Max TTL
Revoking a parent token revokes every child lease at once
On KV v2, data lives at `kv/data` and metadata at `kv/metadata` — do not mix up the sub-paths

Engine	Secret Type	Leased?	Operational Notes
KV v2	Static (versioned)	Not leased (reads are still audited)	Understand the API differences between data, metadata, delete, and destroy
Database	Dynamic user issuance	Yes (TTL / auto-revoke)	Design the DB role's creation / rollback statements
Cloud (AWS / GCP, etc.)	Temporary credentials	Yes	Minimize IAM permissions and limit blast radius on leaks
PKI	Short-lived certificates	Yes	CRL / OCSP and certificate role constraints

Lease lifecycle concept

Warm-up exercises for KV v2 and lease operations

# KV v2 basics
vault secrets enable -path=kv kv-v2
vault kv put kv/app/config token=abc version=1
vault kv get kv/app/config

# Try the lease concept on a dynamic secrets engine
# Example: database engine (dummy connection — use a real DSN in production)
# vault secrets enable database
# vault write database/config/mydb plugin_name=postgresql-database-plugin \
#   allowed_roles="app-role" connection_url="postgres://..."
# vault write database/roles/app-role db_name=mydb [email protected] \
#   default_ttl=1h max_ttl=4h
# Issue creds and inspect the lease
# vault read database/creds/app-role
# vault lease renew <lease_id>
# vault lease revoke <lease_id>

Data Protection (Transit / Wrap) and Auditing Key Points

Transit does not store data; it provides cryptographic operations (encrypt / decrypt, sign / verify, tokenization). The application never holds the encryption key — it operates under Vault's key management policy. Response wrapping wraps a sensitive response in a single-use wrap token so it can be distributed through a separate channel.

Enabling an Audit device records request / response metadata, improving traceability. Note that secret values are hashed before being written to the audit log.

Transit supports key rotation and key versioning
Keep `wrap-ttl` short; the receiver should unwrap exactly once
The hashing in audit logs is one-way (to prevent value leakage)

Mechanism	Primary Purpose	Audit / Security Considerations	Exam Notes
Transit	Externalize cryptographic operations	Concentrate the key-protection boundary in Vault	Mind the encrypt / decrypt API paths and key versions
Response Wrapping	Safe handoff	Single-use wrap tokens	Strategy for reissuing when `wrap-ttl` expires
Audit Device	Observability	Request IDs / hashed fields	Which devices are enabled and the log output format

Call path for encryption via Transit

Small experiments with Transit and Response Wrapping

# Enable Transit and create a key
vault secrets enable transit
vault write -f transit/keys/app-key

# Encrypt and decrypt
cipher=$(vault write -field=ciphertext transit/encrypt/app-key plaintext=$(base64 <<< 'hello'))
echo "$cipher"
vault write -field=plaintext transit/decrypt/app-key ciphertext="$cipher" | base64 -d

# Wrap and distribute (expires in 5 minutes)
vault kv get -wrap-ttl=5m kv/app/config > wrapped.json
WRAP_TOKEN=$(jq -r '.wrap_info.token' wrapped.json)
VAULT_TOKEN=$WRAP_TOKEN vault unwrap

Prep, Registration, and Exam-Day Flow

Register via the HashiCorp Certification portal. After creating an account, choose Vault Associate and book your preferred delivery method (online proctoring or, where available, a regional test center) and time slot. Delivery options, pricing, and retake policies can change, so confirm the latest details on the official page right before booking (https://developer.hashicorp.com/certifications/security-automation).

The fastest study path is to anchor on the official documentation and tutorials and repeatedly drill the CLI against a local dev server. Because questions probe whether you understand the flow of operations, keeping both the commands and the API paths in mind boosts score efficiency.

Prepare ID documents in advance (and confirm your environment meets the online-proctoring requirements)
Run a trial system check and verify your network and camera under the same conditions as the real exam
Right before exam day, re-read the blueprint and condense your weak domains onto a single page

Booking Channel	Payment / Retake (general)	Watch-outs	Notes
Official certification portal	Credit card, etc. The retake policy defines a waiting period and similar terms	Pricing may vary by region / currency	Watch the reschedule / cancellation deadlines
Online proctoring	Flexible scheduling, take it from home	Room environment rules and network quality can affect the outcome	Check in early on exam day
Test center (varies by region)	Stable facilities	Limited slot availability	Follow the rules around ID and arrival time

Timeline from registration to results

Spin up a dev server fast for study

# Dev server (ephemeral, for study only)
export VAULT_DEV_ROOT_TOKEN_ID=root
vault server -dev -dev-root-token-id=$VAULT_DEV_ROOT_TOKEN_ID &
export VAULT_ADDR=http://127.0.0.1:8200
vault status
# From here, the commands in this article work as-is

Check Your Understanding

Associate

問題 1

An application running on Kubernetes needs to fetch app-specific secrets from Vault. Which design best satisfies the requirement of combining least privilege with operational simplicity?

Enable Kubernetes Auth and bind each Pod's ServiceAccount to a Vault policy
Use userpass and embed the username / password in the application's environment variables
Distribute the root token via a ConfigMap and apply a read-only policy
Use AppRole and hard-code the SecretID into the source code

正解: A

Kubernetes Auth establishes per-Pod identity by verifying ServiceAccount tokens, making it easy to grant least-privilege access via policies. Userpass and distributing the root token are insecure. Hard-coding an AppRole SecretID into source code is also a bad design.

Frequently Asked Questions

Are the question count, exam duration, and price fixed?

No. HashiCorp updates these from time to time. Always confirm the current question count, time limit, price, and retake policy on the official certification page.

Should I prioritize learning the CLI or the API?

Use the CLI as your foundation, but memorize the underlying API paths (e.g., kv/data, transit/encrypt) alongside it for the best score efficiency. Exam questions probe path differences and concepts like TTL / Max TTL.

Do I need to know HCP Vault?

The core concepts are shared with the OSS version. HCP-specific operational boundaries and automation points may come up lightly. Rather than memorizing SKU differences, focus on concepts like the management responsibility split and auto-unseal.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる

Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.

HashiCorp Vault Associate Exam Guide: Scope, Scoring, and Registration