HashiCorp Security Automation Certification

Cloud engineers can use the Vault Associate certification exam from HashiCorp to verify their basic security automation skills.

HashiCorp Certified: Vault Associate (002)

The Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with HashiCorp Vault. Candidates will be best prepared for this exam if they have professional experience using Vault in production, but performing the exam objectives in a personal demo environment may also be sufficient. This person understands what enterprise features exist and what can and cannot be done using the Community offering. Visit the HashiCorp Certification Exam Portal to schedule and take the exam.


  • Basic terminal skills
  • Basic understanding of on premise or cloud architecture
  • Basic level of security understanding

Product version tested

Vault 1.6.0 and higher

Preparing for the exam

The Vault Associate exam has both a study guide and a review guide. While much of the information in these two guides are the same, they are presented differently for different uses. Use the study guide if you want to study all the exam objectives. Use the review guide if you already have Vault experience and/or training and want to pick and choose which objectives to review before taking the exam. There are also sample questions available so you can get a feel for what the exam will be like.

Renewing your Vault Associate certification

To renew your Vault Associate certification, you will need to take and pass the Vault Associate or Vault Operations Professional exam.

If you hold an unexpired Vault Associate certification there are two ways to recertify:

  1. You can take the same Vault Associate exam again starting 18 months after your previous exam date. When you pass the exam, the expiration date on your credentials will be extended.
  2. You can take the Vault Professional level exam starting 18 months after your previous exam date. When you pass the exam, you will receive a new set of credentials for the Vault Professional certification, and the expiration date will be extended on your Vault Associate credentials.

If you hold an expired Vault Associate certification: You are eligible to take the same Vault Associate exam again at any time. When you pass the exam, you will receive a new, second set of credentials with a new expiration date.

Exam Details

Assessment Type Multiple choice
Format Online proctored
Duration 1 hour
Price $70.50 USD
plus locally applicable taxes and fees
Free retake not included
Language English
Expiration 2 years

Exam Objectives

1 Compare authentication methods
1a Describe authentication methods
1b Choose an authentication method based on use case
1c Differentiate human vs. system auth methods
2 Create Vault policies
2a Illustrate the value of Vault policy
2b Describe Vault policy syntax: path
2c Describe Vault policy syntax: capabilities
2d Craft a Vault policy based on requirements
3 Assess Vault tokens
3a Describe Vault token
3b Differentiate between service and batch tokens. Choose one based on use-case
3c Describe root token uses and lifecycle
3d Define token accessors
3e Explain time-to-live
3f Explain orphaned tokens
3g Create tokens based on need
4 Manage Vault leases
4a Explain the purpose of a lease ID
4b Renew leases
4c Revoke leases
5 Compare and configure Vault secrets engines
5a Choose a secret method based on use case
5b Contrast dynamic secrets vs. static secrets and their use cases
5c Define transit engine
5d Define secrets engines
6 Utilize Vault CLI
6a Authenticate to Vault
6b Configure authentication methods
6c Configure Vault policies
6d Access Vault secrets
6e Enable Secret engines
6f Configure environment variables
7 Utilize Vault UI
7a Authenticate to Vault
7b Configure authentication methods
7c Configure Vault policies
7d Access Vault secrets
7e Enable Secret engines
8 Be aware of the Vault API
8a Authenticate to Vault via Curl
8b Access Vault secrets via Curl
9 Explain Vault architecture
9a Describe the encryption of data stored by Vault
9b Describe cluster strategy
9c Describe storage backends
9d Describe the Vault agent
9e Describe secrets caching
9f Be aware of identities and groups
9g Describe Shamir secret sharing and unsealing
9h Be aware of replication
9i Describe seal/unseal
9j Explain response wrapping
9k Explain the value of short-lived, dynamically generated secrets
10 Explain encryption as a service
10a Configure transit secret engine
10b Encrypt and decrypt secrets
10c Rotate the encryption key