Which of the following auth methods are intended for machine-to-machine authentication, and not necessarily human (operator) authentication? (Select four)
You are using Vault to generate dynamic credentials for a Microsoft SQL server to perform queries for a month-end report. The report seems to be taking much longer than expected due to degradation on the underlying server, and you are afraid that Vault might automatically revoke the credentials. How can you extend the time the credentials are valid to ensure your month-end query is successful?
Correct Answer: A
Comprehensive and Detailed In-Depth Explanation: Dynamic credentials have a lease with a TTL, after which Vault revokes them. To extend their validity, you renew the lease. The Vault documentation states: "If a lease has been created in Vault, it has an associated TTL in which it will expire and be revoked. If the lease needs to be extended for some reason, you can use the command vault lease renew <lease_id> to extend the TTL of the lease so it will not expire at its original TTL and will be extended by the time specified in seconds from the current time the lease renewal was issued." -Vault Commands: lease renew * A: Correct. Renewing the lease (e.g., vault lease renew <lease_id>) extends the TTL: "Renewing the lease of the dynamic credentials in Vault allows you to extend the validity period without having to generate new credentials." -Vault Commands: lease renew * B: Generating a new lease creates new credentials, disrupting the query. * C: Creating a new role doesn't extend existing credentials' TTL. * D: Revoking the lease terminates the credentials, halting the query. References: Vault Commands: lease renew Vault Concepts: Leases
Question 48
Holly has discovered that a highly privileged dynamic credential with a very long lease time was created, which could negatively impact the organization's security. What command can Holly use to invalidate the credential so it can't be used without affecting other credentials?
Correct Answer: A
Comprehensive and Detailed in Depth Explanation: To invalidate a specific dynamic credential without affecting others, Holly should use the vault lease revoke command with the exact lease ID. The HashiCorp Vault documentation states: "The lease revoke command revokes the lease on a secret, invalidating the underlying secret. To revoke a lease, you can specify the path and lease ID attached to the creds." The command vault lease revoke aws/creds/admin/27e1b9a1-27b8-83d9- 9fe0-d99d786bdc83 targets the specific credential by its unique lease ID, ensuring precision without broader impact. Deleting the credential on the cloud platform (B) doesn't guarantee Vault recognizes it as revoked. vault lease revoke -all (C) revokes all leases, affecting unrelated credentials. vault lease revoke aws/creds/admin/* (D) revokes all leases under that path, potentially impacting other valid credentials. Thus, A is the correct command. Reference: HashiCorp Vault Documentation - Lease Revoke Command
Question 49
Jason has enabled the userpass auth method at the path users/. What path would Jason and other Vault operators use to interact with this new auth method?
Correct Answer: C
Comprehensive and Detailed in Depth Explanation: In HashiCorp Vault, authentication methods (auth methods) are mechanisms that allow users or machines to authenticate and obtain a token. When an auth method like userpass is enabled, it is mounted at a specific path in Vault's namespace, and this path determines where operators interact with it-e.g., to log in, configure, or manage it. The userpass auth method is enabled with the command vault auth enable -path=users userpass, meaning it's explicitly mounted at the users/ path. However, Vault's authentication system has a standard convention: all auth methods are accessed under the auth/ prefix, followed by the mount path. This prefix is a logical namespace separating authentication endpoints from secrets engines or system endpoints. * Option A: users/auth/This reverses the expected order. The auth/ prefix comes first, followed by the mount path (users/), not the other way around. This path would not correspond to any valid Vault endpoint for interacting with the userpass auth method. Incorrect. * Option B: authentication/usersVault does not use authentication/ as a prefix; it uses auth/. The term "authentication" is not part of Vault's path structure-it's a conceptual term, not a literal endpoint. This makes the path invalid and unusable in Vault's API or CLI. Incorrect. * Option C: auth/usersThis follows Vault's standard convention: auth/ (the authentication namespace) followed by users (the custom mount path specified when enabling the auth method). For example, to log in using the userpass method mounted at users/, the command would be vault login - method=userpass -path=users username=<user>. The API endpoint would be /v1/auth/users/login. This is the correct path for operators to interact with the auth method, whether via CLI, UI, or API. Correct. * Option D: users/While users/ is the mount path, omitting the auth/ prefix breaks Vault's structure. Directly accessing users/ would imply it's a secrets engine or other mount type, not an auth method. Auth methods always require the auth/ prefix for interaction. Incorrect. Detailed Mechanics: When an auth method is enabled, Vault creates a backend at the specified path under auth/. The userpass method, for instance, supports endpoints like /login (for authentication) and /users/<username> (for managing users). If mounted at users/, these become auth/users/login and auth/users/users/<username>. This structure ensures isolation and clarity in Vault's routing system. The ability to customize the path (e.g., users/ instead of the default userpass/) allows flexibility for organizations with multiple auth instances, but the auth/ prefix remains mandatory. Overall Explanation from Vault Docs: "When enabled, auth methods are mounted within the Vault mount table under the auth/ prefix... For example, enabling userpass at users/ allows interaction at auth/users." This convention ensures operators can consistently locate and manage auth methods, regardless of custom paths. Reference:https://developer.hashicorp.com/vault/docs/auth#enabling-disabling-auth-methods
Question 50
The vault lease renew command increments the lease time from:
Correct Answer: A
The vault lease renew command increments the lease time from the current time, not the end of the lease. This means that the user can request a specific amount of time they want remaining on the lease, termed the increment. This is not an increment at the end of the current TTL; it is an increment from the current time. For example, vault lease renew -increment=3600 my-lease-id would request that the TTL of the lease be adjusted to 1 hour (3600 seconds) from now. Having the increment be rooted at the current time instead of the end of the lease makes it easy for users to reduce the length of leases if they don't actually need credentials for the full possible lease period, allowing those credentials to expire sooner and resources to be cleaned up earlier. The requested increment is completely advisory. The backend in charge of the secret can choose to completely ignore it1. References: * Lease, Renew, and Revoke | Vault | HashiCorp Developer
