HashiCorp Vault centralizes secrets management with dynamic credential generation, PKI automation, and fine-grained policy control. Understanding secrets engines, auth methods, and lease management is critical for secure infrastructure.
0 / 5 completed
1 / 5
A developer configures Vault's database secrets engine for PostgreSQL. What are dynamic secrets in this context?
Vault's database secrets engine generates dynamic credentials — unique username/password pairs created on-demand for each request with a configurable TTL (e.g., 1 hour). When the lease expires, Vault automatically revokes the credentials. This eliminates long-lived static credentials and ensures every service instance gets unique, traceable database access.
2 / 5
What is AppRole authentication in Vault and why is it used for machine-to-machine authentication?
AppRole authenticates applications using a RoleID (non-secret, embedded in the app) and a SecretID (short-lived, injected at runtime by a trusted orchestrator). The app combines both to get a Vault token. This separation allows storing RoleID in config while delivering SecretID via a separate secure channel (e.g., Vault Agent, CI/CD pipeline).
3 / 5
A security engineer enables Vault's PKI secrets engine. What workflow does this enable?
Vault's PKI secrets engine makes Vault an internal CA. Applications request certificates via the API (vault write pki/issue/role-name common_name=svc.internal) and receive a signed X.509 cert with a short TTL. This replaces manually managed long-lived certificates with automated short-lived ones that expire rather than needing revocation.
4 / 5
A Vault policy contains path "secret/data/app/*" { capabilities = ["read"] }. What does this grant?
This policy grants read capability on secret/data/app/*, which in KV v2 corresponds to reading any secret under the app/ prefix in the secret mount. KV v2 uses a /data/ path prefix for the actual secret data. Without list capability on secret/metadata/app/, the client cannot enumerate secrets but can read known paths.
5 / 5
What is the difference between a Vault token TTL and a Vault lease TTL?
Token TTL controls how long a Vault authentication token remains valid — after expiry, the token cannot be used for API calls. Lease TTL controls how long a dynamic secret (e.g., database credentials, PKI certificate) remains valid. A single token can hold multiple leases with independent TTLs; revoking the token cascades to revoke all its leases.