Orphan tokens are tokens that are root of their own token tree. This means that they do not have any parent token associated with them, and they do not expire when their parent token expires. Orphan tokens are useful for scenarios where you need a short-lived and independent token, such as for testing or debugging purposes. Orphan tokens can also be used to create temporary access tokens for applications or services that need to communicate with Vault without using a long-lived root token.  References :  Tokens | Vault | HashiCorp Developer ,  Vault cli: how to create orphan token with role - HashiCorp Discuss

To make an authenticated request via the Vault HTTP API, you need to use the X-Vault-Token HTTP Header or the Authorization HTTP Header using the Bearer < token > scheme. The token is a string that represents your identity and permissions in Vault. You can obtain a token by using an authentication method, such as userpass, approle, aws, etc. The token can also be a root token, which has unlimited access to Vault, or a wrapped token, which is a response-wrapping token that can be used to unwrap the actual token. The token must be sent with every request to Vault that requires authentication, except for the unauthenticated endpoints, such as sys/init, sys/seal-status, sys/unseal, etc.  The token is used by Vault to verify your identity and enforce the policies that grant or deny access to various paths and operations.  References : https://developer.hashicorp.com/vault/api-docs 3 , https://developer.hashicorp.com/vault/docs/concepts/tokens 4 , https://developer.hashicorp.com/vault/docs/concepts/auth 5

To create a new user named “sally” with password “h0wN0wB4r0wnC0w” and the power-users policy, you would use the Vault userpass auth method mounted at auth/userpass. You would use the following command: “vault write auth/userpass/users/sally password=h0wN0wB4r0wnC0w policies=power-users”. This command would create a new user named “sally” with the specified password and policy.  References :

[Userpass Auth Method | Vault | HashiCorp Developer]

[Create Vault policies | Vault | HashiCorp Developer]

Integrated Storage is a Raft-based storage backend that allows Vault to store its data internally without relying on an external storage system. It also enables Vault to run in high availability mode with automatic leader election and failover. However, Integrated Storage is not immune to data loss or corruption due to hardware failures, network partitions, or human errors. Therefore, it is recommended to use the snapshot feature to backup and restore the Vault data periodically or on demand. A snapshot is a point-in-time capture of the entire Vault data, including the encrypted secrets, the configuration, and the metadata. Snapshots can be taken and restored using the vault operator raft snapshot command or the sys/storage/raft/snapshot API endpoint. Snapshots are encrypted and can only be restored with a quorum of unseal keys or recovery keys.  Snapshots are also portable and can be used to migrate data between different Vault clusters or storage backends.  References : https://developer.hashicorp.com/vault/docs/concepts/integrated-storage 1 , https://developer.hashicorp.com/vault/docs/commands/operator/raft/snapshot 2 , https://developer.hashicorp.com/vault/api-docs/system/storage/raft/snapshot 3

Not all storage backends support high availability mode for Vault. Only the storage backends that support locking can enable Vault to run in a multi-server mode where one server is active and the others are standby. Some examples of storage backends that support high availability mode are Consul, Integrated Storage, and ZooKeeper.  Some examples of storage backends that do not support high availability mode are Filesystem, MySQL, and PostgreSQL.  References : https://developer.hashicorp.com/vault/docs/concepts/ha 1 , https://developer.hashicorp.com/vault/docs/configuration/storage 2

The PKI secrets engine is designed to support the use case of reducing and ultimately removing the use of long lived X.509 certificates. The PKI secrets engine can generate dynamic X.509 certificates on demand, with short time-to-live (TTL) and automatic revocation. This eliminates the need for manual processes of generating, signing, and rotating certificates, and reduces the risk of certificate compromise or misuse. The PKI secrets engine can also act as a certificate authority (CA) or an intermediate CA, and can integrate with external CAs or CRLs.  The PKI secrets engine can issue certificates for various purposes, such as TLS, SSH, code signing, email encryption, etc.  References : https://developer.hashicorp.com/vault/docs/secrets/pki 1 , https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic- secrets

The statement is true. When an auth method is disabled, all users authenticated via that method lose access. This is because the tokens issued by the auth method are automatically revoked when the auth method is disabled. This prevents the users from performing any operation in Vault using the revoked tokens. To regain access, the users have to authenticate again using a different auth method that is enabled and has the appropriate policies attached.  References :  Auth Methods | Vault | HashiCorp Developer ,  auth disable - Command | Vault | HashiCorp Developer

A lease ID is a unique identifier that is assigned by Vault to every dynamic secret and service type authentication token. A lease ID contains information such as the secret path, the secret version, the secret type, etc. A lease ID can be used to track and revoke access granted to a job by Vault at completion, as it allows the scheduler to perform the following operations:

Lookup the lease information by using the vault lease lookup command or the sys/leases/lookup API endpoint. This will return the metadata of the lease, such as the expire time, the issue time, the renewable status, and the TTL.

Renew the lease if needed by using the vault lease renew command or the sys/leases/renew API endpoint. This will extend the validity of the secret or the token for a specified increment, or reset the TTL to the original value if no increment is given.

Revoke the lease when the job is completed by using the vault lease revoke command or the sys/leases/revoke API endpoint. This will invalidate the secret or the token immediately and prevent any further renewals. For example, with the AWS secrets engine, the access keys will be deleted from AWS the moment a lease is revoked.

A lease ID is different from a token ID or a token accessor. A token ID is the actual value of the token that is used to authenticate to Vault and perform requests. A token ID should be treated as a secret and protected from unauthorized access. A token accessor is a secondary identifier of the token that is used for token management without revealing the token ID. A token accessor can be used to lookup, renew, or revoke a token, but not to authenticate to Vault or access secrets. A token ID or a token accessor can be used to revoke the token itself, but not the leases associated with the token. To revoke the leases, a lease ID is required.

An authentication method is a way to verify the identity of a user or a machine and issue a token with appropriate policies and metadata. An authentication method is not an object that can be tracked or revoked, but a configuration that can be enabled, disabled, tuned, or customized by using the vault auth commands or the sys/auth API endpoints.

The Vault secret engine that can be used to build your own internal certificate authority is the PKI secret engine. The PKI secret engine generates dynamic X.509 certificates on-demand, without requiring manual processes of generating private keys and CSRs, submitting to a CA, and waiting for verification and signing. The PKI secret engine can act as a root CA or an intermediate CA, and can issue certificates for various purposes, such as TLS, code signing, email encryption, etc. The PKI secret engine can also manage the certificate lifecycle, such as rotation, revocation, renewal, and CRL generation. The PKI secret engine can also integrate with external CAs, such as Venafi or Entrust, to delegate the certificate issuance and management.  References :  PKI - Secrets Engines | Vault | HashiCorp Developer ,  Build Your Own Certificate Authority (CA) | Vault - HashiCorp Learn

This policy would allow read permissions for all secrets at path secret/bar, as well as list permissions for the secret/bar/ path.  The list permission is required to be able to see the names of the secrets under a given path 1 . The wildcard ( ) character matches any number of characters within a single path segment, while the slash (/) character matches the end of the path 2 . Therefore, the policy would grant read access to any secret that starts with secret/bar/, such as secret/bar/foo or secret/bar/baz, but not to secret/bar itself. To grant list access to secret/bar, the policy needs to specify the exact path with a slash at the end.  This policy follows the principle of least privilege, which means that it only grants the minimum permissions necessary for the users to perform their tasks 3 .

The other options are not correct because they either grant too much or too little permissions. Option A would grant both read and list permissions to all secrets under secret/bar, which is more than what is required. Option B would grant list permissions to all secrets under secret/bar, but only read permissions to secret/bar itself, which is not what is required. Option D would use an invalid character (+) in the policy, which would cause an error.