HashiCorp HashiCorp Security Automation Certification HCVA0-003 New Questions

The Transit secrets engine supports different key types, and the parameter used to define the cryptographic algorithm for a new key is type. For AES encryption, Vault supports AES-GCM key types such as aes256-gcm96, which is also the default Transit key type. The name identifies the key, but it does not determine whether the key uses AES. The exportable parameter controls whether key material can be exported, which is unrelated to selecting AES. The convergent_encryption setting changes encryption behavior so the same plaintext can produce the same ciphertext under specific conditions, but it does not select the algorithm. Therefore, to meet an AES requirement when creating a Transit key, the correct parameter is type.

================

To use an entity alias in an ACL policy template, the critical value is the auth method mount accessor. Vault identities can have aliases from different authentication mounts, and the same alias name may exist under different auth methods. Vault therefore identifies an alias by combining the alias name with the authentication mount accessor. In templated ACL policies, alias data is referenced with a structure such as identity.entity.aliases. < mount accessor > .metadata. < metadata key > . The auth method path alone is not the correct unique identifier for the template. A group name is used for group-based identity references, not entity aliases. A metadata key may be used after the alias accessor is known, but it is not sufficient by itself. HashiCorp documents that the mount accessor is required when using alias metadata in templated policies.

================

To create a new user named “sally” with password “h0wN0wB4r0wnC0w” and the power-users policy, you would use the Vault userpass auth method mounted at auth/userpass. You would use the following command: “vault write auth/userpass/users/sally password=h0wN0wB4r0wnC0w policies=power-users”. This command would create a new user named “sally” with the specified password and policy.  References :

[Userpass Auth Method | Vault | HashiCorp Developer]

[Create Vault policies | Vault | HashiCorp Developer]

Batch tokens are a type of tokens that are not persisted in Vault’s storage backend, but are encrypted blobs that carry enough information to perform Vault actions. Batch tokens are extremely lightweight and scalable, and can improve the throughput for token generation. Batch tokens are suitable for high-volume and ephemeral workloads, such as containers or serverless functions, that require short-lived and non-renewable tokens. Batch tokens can be created by using the -type=batch flag in the vault token create command, or by configuring the token_type parameter in the auth method’s role or mount options. Batch tokens have some limitations compared to service tokens, such as the lack of renewal, revocation, listing, accessor, and cubbyhole features.  Therefore, batch tokens should be used with caution and only when the trade-offs are acceptable. References: 1 , 2 , 3