Learning path - Vault Associate (002)

The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with Vault. You understand what Vault Enterprise features exist and can differentiate between Enterprise and Community Edition. You will be best prepared for this exam if you have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may be sufficient.

Prerequisites

• Basic terminal skills
• Basic understanding of on-premise or cloud architecture
• Basic level of security understanding

To learn more about the exam, visit the HashiCorp Product Certifications page.

Study for the exam

Expect to see questions associated with each exam objective. If you already have Vault experience and/or training and want to pick and choose which objectives to review before taking the exam, skip to the content list.

The sample questions help you get familiar with the format of the questions.

This learning path provides links to tutorials and documentation to learn the features that are covered in the exam.

Vault fundamentals

Objectives covered: 1a-c, 2b-c, 3a-g, 4a-c, 5a, 6a-f, 7a-e, 8a-b, 9a, 9c, 9g, 9i, 9k

You will be tested on your knowledge of Vault fundamentals which include Vault architecture, seal/unseal Vault, and how to authenticate with Vault. Complete the following tasks to ensure that you understand the Vault core concepts.

• Complete the Vault Getting Started tutorials
• Read the Introduction to Vault documentation
• Read the Vault Concepts documentation to make sure that you understand the core concepts
• Review the Overview section of the Vault Commands (CLI) documentation to understand the basic structure of CLI

Study tips

• Understand the components of Vault (cryptographic barrier, storage backend, auth methods, etc.)

  • Secrets are encrypted by Vault's barrier; therefore, the storage backend contains the encrypted Vault data.

    

• Storage backend: Integrated Storage questions have been added → Preflight Checklist gives you the comparison between Consul and Integrated Storage

• Understand how seal/unseal works

  • Shamir's Secret Sharing algorithm (default)

  • Auto unseal concept (use recovery keys instead of unseal keys to regenerate a root token)

Authentication

You will be tested on your knowledge of configuring auth methods using CLI and UI.

• Understand the concept of authentication in Vault
  • There are human-centric auth methods (e.g. LDAP, GitHub) as well as machine-oriented auth methods (e.g. AWS, AppRole, Kubernetes)
• Get familiar with Vault CLI to configure auth methods
• Get familiar with Vault UI to configure auth methods
• Go through the interactive tutorial attached to the AppRole Pull Authentication tutorial

Tokens

• Read the token concepts documentation
  • Root tokens can be regenerated later if needed; therefore, you don't need to worry about persisting it somewhere
  • Know the basics of token accessor
• When tokens are created, a token accessor is also created and returned. Use it to:
  • Look up a token's properties (not including the actual token ID)
  • Look up a token's capabilities on a path
  • Renew the token
  • Revoke the token
• The number of accessors on the Vault server is the number of tokens
• Go through the tokens tutorial
  • Be familiar with the vault token sub-commands: capabilities, create, lookup, renew, revoke
  • Know the characteristics of batch tokens
• Understand the token's TTL and max TTL → know when a token expires and no longer renewable

Access management

Objectives covered: 2a-d, 3a-b, 3f-g, 6c, 7c, 9d-f

Vault policies allow you to control access to secrets managed by Vault. You will be tested to see if you understand Vault policy syntax and the basic commands that manage policies. Every Vault client (human users, applications, containers, etc.) must have a valid token to send authenticated requests to Vault. Do the following tasks to make sure you understand the basics of access management operations.

• Follow these 5 tutorials from the Access Management learning track:
  • Vault Policies
  • Identity: Entities and Groups
  • Tokens
  • Vault Agent with AWS
  • Vault Agent Templates
• Read the Vault Agent documentation

Study tips

• Go through the Vault Policies tutorial
• Be aware of the use of "*" and "+" in policy paths
• Understand that there are built-in policies: root and default
• Keep it in mind that Vault is deny by default → No policy means no access
• Understand the challenge that Vault Agent solves
  • Auto-auth allows for easy authentication and manage the lifecycle of the client token → No need to implement that in your application
  • Caching allows client-side caching of tokens and leases → Reduce the latency in getting secrets from Vault
  • Templates allows Vault Agent to leverage Consul Template markup → Your existing application can be Vault un-aware (no code change) while secrets are managed by Vault

Secrets management

Objectives covered: 4a-c, 5a-b, 5d, 6d-e, 7d-e, 9j-k

The secrets engines are responsible for managing secrets; therefore, they are a critical part of Vault. You will be tested on your knowledge of operating and managing secrets engines. Do the following tasks to ensure that you understand and can apply basic tasks associated with managing secrets.

• Browse the Secrets Engines section of the Vault documentation focusing on:
  • Overview
  • Databases
  • Key/Value
  • Identity
• Review the Secrets Management tutorials paying special attention to these 4 tutorials:
  • Introduction
  • Versioned Key/Value Secrets Engine
  • Cubbyhole Response Wrapping
  • Secrets as a Service: Dynamic Secrets
• Review the Vault product use cases. To test your understanding of Vault, some scenario-based questions will be asked

Study tips

• Read the lease, renew, and revoke documentation
  • What is a lease in Vault? Lease is the secrets generated by the Vault's dynamic secrets engines (e.g. database, aws, consul) to access the target system. For example, a lease generated by the database secrets engine contains database username, password, duration (TTL), and more.
  • Use lease ID to renew or revoke a lease
  • Be familiar with the vault lease command
  • Understand the lease time-to-live (TTL)
• Most of the questions are scenario-based to test if you can identify the common usages and benefits of secrets engines

Data encryption

Objectives covered: 5c, 10a-c

Data encryption is one of the core Vault use cases. You will be tested on your knowledge of Vault providing encryption as a service (EaaS) in transit. Do the following tasks to ensure that you have a good understanding of the EaaS use case as well as its basic functionality.

• Read the Transit section of the Secrets Engine documentation to learn its characteristics
• Follow these Data Encryption tutorials to learn its basic operation:
  • Encryption as a Service: Transit Secrets Engine
  • Transit Secrets Re-wrapping

Study tips

• Read the Encryption as a Service: Transit Secrets Engine tutorial.
  • Understand the common scenario introduced in the beginning of the tutorial, and what challenge it solves

Vault deployment architecture

Objectives covered: 9b-c, 9g-h

With Vault as your single source of secrets, it is important to understand the production deployment basics. You will be tested on your knowledge of Vault reference architecture as well as basic Vault operational tasks. Your awareness of the Vault Enterprise replication concept will be tested as well. Do the following tasks to ensure that you have a good understanding of deploying Vault in production.

• Read the Architecture section of the documentation

• Follow the Vault Reference Architecture guide

  • Be familiar with the recommended Vault Deployment Architecture diagrams (e.g. how many nodes in a cluster)

• Familiarize yourself with the Vault Enterprise features—especially Replication—by reading the documentation. Some scenario-based questions will be asked

• Be aware of Enterprise Replication and what they achieve (you just need to know the concept)

  • Performance Replication vs. Disaster Recovery (DR) Replication

  • Scaling vs. Fault-tolerance

    

    The following table shows a capability comparison between Disaster Recovery and Performance Replication.

    Capability	Disaster Recovery	Performance Replication
    Mirrors the configuration of a primary cluster	Yes	Yes
    Mirrors the configuration of a primary cluster’s backends (i.e., auth methods, secrets engines, audit devices, etc.)	Yes	Yes
    Mirrors the tokens and leases for applications and users interacting with the primary cluster	Yes	No. Secondaries keep track of their own tokens and leases. When the secondary is promoted, applications must reauthenticate and obtain new leases from the newly-promoted primary.
    Allows the secondary cluster to handle client requests	No	Yes

Next steps

For specific study materials that cover a particular exam objective, refer to the content list. Check out the sample questions to review the exam question format.

Sign up for the exam here!