How to Study for Vault Certifications: Associate / Ops Key Points via Official Learn and Hands-on

Rather than focusing only on exam prep, the fastest route is to turn the material into knowledge you can use directly on the job. This guide leans on official documentation and stable Learn modules, with a hands-on emphasis.

Associate is about accurately grasping concepts and core features. Ops focuses on the responsibility of actually running Vault: initialization, unsealing, storage, auditing, and policy operations.

Exam Overview and Key Points (Associate / Ops Common)

Vault exams assess whether you correctly understand the flow of authentication → authorization → secret distribution → lease management → auditing. Associate centers on concepts, representative use cases, major secret engines (KV, DB, Transit, PKI), and auth methods (Token, AppRole, Kubernetes, OIDC, etc.). Ops asks about initialization and unsealing, storage (Integrated Storage / Raft), backups, auditing, and token operations (TTL / Lease / Renew / Revoke).

Do not dive too deep into Enterprise-specific features (namespaces, performance replication, etc.). Even when they appear, it is safer to limit yourself to explaining the concept and purpose. For details, follow the stable items in the official documentation.

• Authentication: characteristics and use cases for userpass, AppRole, Kubernetes, OIDC, and Token
• Authorization: policies (path rules, capabilities), evaluation order of default/deny
• Secret engines: KV v1/v2 differences, DB dynamic credentials, Transit (encryption/signing/decryption), PKI (intermediate CA / roles / validity period)
• Tokens: service/batch, orphan, periodic, TTL and max_ttl, renewal and re-issuance
• Leases: issuing, renewing, and revoking dynamic secrets; cautions on reuse
• Operations: init/unseal/rekey/rotate, Raft storage, snapshots, auditing (file/socket, redaction)

The flow of authentication → authorization → secret distribution in Vault

Official Learn Roadmap: The Fastest Coverage Order

The official Learn tutorials are structured so you actually use both CLI and API. Going through them in the order below naturally covers the Associate blueprint and also builds the operational commands you need for Ops.

In each module, always be aware of the gap between the CLI's simplified path (vault kv get secret/foo) and the actual API path (/v1/secret/data/foo). The exam frequently asks about this difference.

• 1) KV v2 basics (write/read/version/metadata/delete and destroy)
• 2) Authentication (in the order Token basics → AppRole → Kubernetes → OIDC)
• 3) Dynamic secrets (database): confirm lease and TTL behavior
• 4) Transit (encryption/decryption/signing/verification): emphasize that plaintext is not stored
• 5) PKI (root / intermediate / role / CRL): the relationship between revocation and validity period
• 6) Auditing (file/socket, redact settings)

Building a Hands-on Environment (Safely and Quickly)

The fastest way to grasp how Vault behaves is -dev mode. Single-node, in-memory storage, and auto-unseal are plenty for learning. However, the exam emphasizes that it is not suitable for production. The same setup can be reproduced with Docker.

If you have Ops in scope, take time to experience starting with Integrated Storage (Raft) and taking a snapshot at least once. Understanding backup and recovery is a reliable source of exam points.

• Dev mode is convenient but not production-ready (single node, no persistence, simplified security)
• The CLI operates assuming the VAULT_ADDR/VAULT_TOKEN environment variables
• For KV v2 the API path becomes secret/data/foo, etc. (do not confuse with the CLI simplification)
• Raft can take a logical backup via snapshot (essential for Ops)

A minimal 15-minute hands-on (dev + KV v2 + AppRole + Transit)

# 1) devサーバ起動（学習用。実運用不可）
vault server -dev -dev-root-token-id=root &
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'

# 2) KV v2 を有効化し、データを書き/読む
vault secrets enable -path=secret -version=2 kv
vault kv put secret/app/config db_user=app db_pass=s3cr3t
vault kv get secret/app/config

# 3) ポリシーを作成（読み取りのみ許可）
cat <<'EOF' > read-app.hcl
path "secret/data/app/*" {
  capabilities = ["read"]
}
EOF
vault policy write read-app read-app.hcl

# 4) AppRole を作成し、ロールとポリシーを紐付け
vault auth enable approle
vault write auth/approle/role/app role_name=app policies=read-app secret_id_ttl=1h token_ttl=15m token_max_ttl=1h
ROLE_ID=$(vault read -field=role_id auth/approle/role/app/role-id)
SECRET_ID=$(vault write -field=secret_id auth/approle/role/app/secret-id)

# 5) AppRoleでログインしてシークレットを読む
APP_TOKEN=$(vault write -field=token auth/approle/login role_id="$ROLE_ID" secret_id="$SECRET_ID")
VAULT_TOKEN=$APP_TOKEN vault kv get secret/app/config

# 6) Transitを有効化して暗号/復号（平文は保存されない）
vault secrets enable transit
vault write -f transit/keys/appkey
CIPHERTEXT=$(vault write -field=ciphertext transit/encrypt/appkey plaintext=$(echo -n 'hello' | base64))
vault write -field=plaintext transit/decrypt/appkey ciphertext=$CIPHERTEXT | base64 -d

# 7) 監査を有効化（学習用にfile出力。実行権限/パスに注意）
sudo touch /var/log/vault_audit.log && sudo chmod 666 /var/log/vault_audit.log
vault audit enable file file_path=/var/log/vault_audit.log

Must-Have Operations (Ops) Topics

Initialization (init) splits the master key via Shamir, and unsealing requires keys equal to the threshold. Auto-unseal (cloud KMS integration) appears frequently in the Ops area. rekey regenerates the split keys, while rotate rotates the internal encryption key — they are different operations.

Integrated Storage (Raft) is simple and suited for production use, and backups can be taken via snapshots. For auditing, enable devices such as file/socket; sensitive information can be redacted. For tokens, organize the differences between service/batch, plus periodic, orphan, and the relationship between TTL and max_ttl.

• Differences and phrasing of vault operator init / unseal / rekey / rotate
• Benefits of auto-unseal (automatic recovery on boot, separation of key management)
• Raft snapshot: vault operator raft snapshot save/restore
• Audit logs: meaning of enable/disable, file_path, and redact settings
• Tokens: batch tokens are not stored and not renewable; service tokens can be renewed and re-issued

Question Patterns and Pitfalls (Avoiding Common Mistakes)

Confusing the CLI simplified path with the API path, mixing up KV v1 and v2, and misreading token types and TTL behavior are classic traps. Watch out for policy evaluation order (deny precedence) and path wildcards as well. Emphasize that Transit is a cryptographic service and does not store plaintext.

Response wrapping is a mechanism that distributes a temporary token rather than the secret itself. unwrap retrieves it once, and then the token expires. Being able to explain a safe handoff flow gives you an edge.

• KV v2: the CLI is vault kv get secret/foo, but the API is /v1/secret/data/foo
• Policy: explicit deny takes precedence; design capabilities with least privilege
• Tokens: batch are non-persistent and non-renewable; service tokens are renewable, re-issuable, and subject to leasing
• TTL: explicit ttl <= max_ttl. periodic can persist on a fixed renewal cycle
• DB dynamic secrets: revoke invalidates only the targeted credential; understand the scope of impact
• Transit: plaintext is not stored. Key rotation is managed via versions

Last-Minute Checklist and Study Plan (7-Day Target)

Finish your study by going hands-on for verification, then memorizing key points, then taking mock exams. Here is the fastest 7-day plan to cover both Associate and Ops. Tying it to real-world scenarios makes it stick.

Even when time is short, do not skip hands-on practice for KV v2, AppRole, DB dynamic credentials, Transit, and init/unseal/audit/raft snapshot.

• Day 1: Organize concepts (Auth/Policy/Secrets/Lease) and start dev mode
• Day 2: KV v2, policies, and the wrapping flow
• Day 3: AppRole / Kubernetes authentication (try at least one on a real cluster)
• Day 4: DB dynamic credentials (issue → renew → revoke)
• Day 5: Basic Transit / PKI operations
• Day 6: Ops: init/unseal/rekey/rotate, auditing, Raft snapshots

Check with a Practice Question

Frequently Asked Questions