VA-002-P HashiCorp Certified: Vault Associate Questions and Answers

The userpass auth method uses a local database that cannot interact with any services outside of the Vault instance.

Service Tokens

Service tokens are what users will generally think of as "normal" Vault tokens. They support all features, such as renewal, revocation, creating child tokens, and more. They are correspondingly heavyweight to create and track.

Batch Tokens

Batch tokens are encrypted blobs that carry enough information for them to be used for Vault actions, but they require no storage on disk to track them. As a result, they are extremely lightweight and scalable but lack most of the flexibility and features of service tokens.

Reference link:- https://www.vaultproject.io/docs/concepts/tokens

The terraform console command provides an interactive console for evaluating expressions.

https://www.terraform.io/docs/commands/console.html

It is generally considered a best practice to not persist root tokens. Instead, a root token should be generated using Vault's operator generate-root command only when absolutely necessary.

For day-to-day operations, the root token should be deleted after configuring other auth methods which will be used by admins and Vault clients.

The persistent data stored in the backend belongs to a workspace. Initially, the backend has only one workspace, called "default", and thus there is only one Terraform state associated with that configuration.

Terraform analyses any expressions within a resource block to find references to other objects and treats those references as implicit ordering requirements when creating, updating, or destroying resources.

https://www.terraform.io/docs/configuration/resources.html

Before Vault can be used, it must be initialized and unsealed. This screen indicates that Vault has not been initialized yet and is offering you a way to do so.

The UI is enabled in the Vault configuration file, not in the CLI.

The auth enable command enables an auth method at a given path. If an auth method already exists at the given path, an error is returned.

Command to enable auth method vault auth followed by the name of the auth method.

Additional parameters can be included to specify the name of the mount.

HashiCorp style conventions suggest you that align the equals sign for consecutive arguments for easing readability for configurations

ami = "abc123"

instance_type = "t2.micro"

Each time a new provider is added to configuration -- either explicitly via a provider block or by adding a resource from that provider -- Terraform must initialize the provider before it can be used. Initialization downloads and installs the provider's plugin so that it can later be executed.

Terraform is available for macOS, FreeBSD, OpenBSD, Linux, Solaris, Windows

https://www.terraform.io/downloads.html

Vault doesn't store the data sent to the secrets engine.

The transit secrets engine handles cryptographic functions on data-in-transit. It can also be viewed as "cryptography as a service" or "encryption as a service". The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.

Everything in Vault is path-based including policies. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.

Policies are deny by default, so an empty policy grants no permission in the system.

Setting a parameter with a value of the empty list allows the parameter to contain any value.

Setting a parameter with a value of a populated list allows the parameter to contain only those values.

If any keys are specified, all non-specified parameters will be denied unless the parameter "*" is set to an empty array, which will allow all other parameters to be modified. Parameters with specific values will still be restricted to those values.

API and CLI access are managed with API tokens, which can be generated in the Terraform Cloud UI. Each user can generate any number of personal API tokens, which allow access with their own identity and permissions. Organizations and teams can also generate tokens for automating tasks that aren't tied to an individual user.

The local-exec provisioner invokes a local executable after a resource is created. This invokes a process on the machine running Terraform, not on the resource.

Note that even though the resource will be fully created when the provisioner is run, there is no guarantee that it will be in an operable state - for example, system services such as sshd may not be started yet on compute resources.

Vault supports AWS, Azure, Google Cloud, and Alibaba Cloud out of the box for secrets engines

For local state, Terraform stores the workspace states in a directory called terraform.tfstate.d.

https://www.terraform.io/docs/state/workspaces.html#workspace-internals

All interactions with Vault are done through its pathing structure. If you create a policy with a wildcard, you are giving them access to any path within Vault

A provider is responsible for understanding API interactions and exposing resources. Providers generally are an IaaS (e.g., Alibaba Cloud, AWS, GCP, Microsoft Azure, OpenStack), PaaS (e.g., Heroku), or SaaS services (e.g., Terraform Cloud, DNSimple, CloudFlare).

To view the paths leading up to the secrets/apps/app1 path in the user interface, the user must have at least LIST permissions to avoid permission denied error in the UI.

Be sure to restart your shell after installing autocompletion!

Provisioners are used to execute scripts on a local or remote machine as part of resource creation or destruction. Provisioners can be used to bootstrap a resource, cleanup before destroy, run configuration management, etc. Even if the functionality you need is not available in a provider today, HashiCorp suggests that you consider local-exec usage as a temporary workaround and to open an issue in the relevant provider's repo to discuss adding first-class support.

The kv metadata command has subcommands for interacting with the metadata and versions for the versioned secrets (K/V Version 2 secrets engine) at the specified path.

The kv metadata delete command deletes all versions and metadata for the provided key.

Reference link:- https://www.vaultproject.io/docs/commands/kv/metadata

When a Vault server is started, it starts in a sealed state and it does not know how to decrypt data. Before any operation can be performed on the Vault, it must be unsealed. Unsealing is the process of constructing the master key necessary to decrypt the data encryption key.

Below are links covering details of each option:- https://www.vaultproject.io/docs/concepts/seal

AWS KMS

https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms

Auto-unseal using Transit Secrets Engine

https://learn.hashicorp.com/vault/operations/autounseal-transit

Auto-unseal using Azure Key Vault

https://learn.hashicorp.com/vault/day-one/autounseal-azure-keyvault

Auto-unseal using HSM

https://learn.hashicorp.com/vault/operations/ops-seal-wrap

Key shards don't support auto unseal instead key shards require the user to provide unseal keys to reconstruct the master key

https://www.vaultproject.io/docs/concepts/seal

The splat (*) can be used as a wildcard but can only be used at the very end of a path.

The plus sign (+) can be used in the middle of a path to denote a path segment.