Introduction
The HashiCorp Vault Associate (002) is the gold-standard credential for secrets management. As enterprises consolidate secrets, encryption, identity-based access, and PKI onto Vault, demand for engineers who can deploy, configure, and operate Vault has exploded.
At $70.50, it’s also one of the cheapest serious DevSecOps certifications available. It complements cloud security certifications (AZ-500, AWS Security Specialty) and IaC certifications (Terraform Associate) particularly well.
This guide covers the current 002 exam (released early 2024 and still current in 2026), the nine objective groups, exam format, and a realistic 4–6 week prep plan.
Who Vault Associate Is For
The Vault Associate is the right exam if you:
- Have 3–6 months of hands-on Vault experience (community or enterprise)
- Work as a DevOps engineer, security engineer, platform engineer, SRE, or identity engineer
- Manage secrets, encryption, or PKI in any environment
- Want a portable security credential to pair with a cloud security cert
It is the only major vendor-neutral secrets-management certification with significant industry recognition.
Vault Associate Exam Specifications
| Attribute | Detail |
|---|---|
| Exam code | Vault-Associate 002 (current) |
| Title | HashiCorp Certified: Vault Associate |
| Format | Multi-choice, multi-select, true/false, fill-in-the-blank, matching |
| Questions | ~57 |
| Duration | 60 minutes |
| Passing score | Not published (pass/fail) |
| Cost | $70.50 USD |
| Languages | English |
| Delivery | Online proctored via PSI |
| Validity | 2 years |
| Prerequisites | None |
Vault Associate 002 Objectives
The 002 exam covers nine objectives:
| Objective | Topic |
|---|---|
| 1 | Compare authentication methods |
| 2 | Create Vault policies |
| 3 | Assess Vault tokens |
| 4 | Manage Vault leases |
| 5 | Compare and configure Vault secrets engines |
| 6 | Utilize Vault CLI |
| 7 | Utilize Vault UI |
| 8 | Be aware of the Vault API |
| 9 | Explain Vault architecture fundamentals |
Objective 1: Authentication Methods
- Userpass, AppRole, GitHub, LDAP, OIDC, Kubernetes, JWT, AWS IAM, Azure, GCP, TLS certs
- Default vs. configured paths
- Token TTLs and renewal
- When to use AppRole (machine-to-machine) vs. cloud-native auth (workload identity)
Objective 2: Policies
- HCL policy syntax
- Path-based permissions:
create,read,update,delete,list,sudo - Wildcards (
*,+) and path priority - Identity-based policies via entities and groups
- Templated policies (e.g.,
path "secret/data/{{identity.entity.id}}/*")
Objective 3: Tokens
- Service tokens vs. batch tokens
- Periodic, orphan, and root tokens
- Token accessors
- Token policies and TTLs
- Token revocation (including by accessor)
Objective 4: Leases
- Lease IDs and lease duration
- Renewal vs. revocation
- Max TTL behavior
- Lease revocation hierarchies
Objective 5: Secrets Engines
- KV v1 vs. KV v2 (versioning, soft delete, cas)
- Database secrets engine: dynamic credentials for PostgreSQL, MySQL, Oracle, Cassandra, MongoDB
- PKI secrets engine: root and intermediate CAs, role configuration, certificate issuance
- AWS secrets engine: STS, IAM user, federation token
- Azure secrets engine: service principal generation
- GCP secrets engine: service account key generation
- Transit secrets engine: encryption-as-a-service, key versioning, convergent encryption
- TOTP and SSH secrets engines at high level
Objective 6: Vault CLI
vault login,vault token,vault read,vault write,vault list,vault delete- Output formats (
-format=json,-format=table) - Address and namespace flags
- Working with environment variables (
VAULT_ADDR,VAULT_TOKEN,VAULT_NAMESPACE)
Objective 7: Vault UI
- Enabling and accessing the UI
- Common operations through the UI (auth, secrets, policies, tokens, leases)
- When CLI is preferable to UI
Objective 8: Vault API
- REST endpoints structure (
/v1/sys/...,/v1/auth/...,/v1/secret/data/...) - Headers (
X-Vault-Token,X-Vault-Namespace) - Common HTTP verbs and status codes
- KV v2 API quirks (
/data/vs./metadata/)
Objective 9: Architecture Fundamentals
- Storage backends: Integrated Storage (Raft), Consul, Vault on Kubernetes
- Seal and unseal: Shamir secret sharing, auto-unseal with cloud KMS / Transit
- Performance vs. disaster recovery replication (Enterprise) — high-level
- HA and clustering basics
- Namespaces (Enterprise) — high-level
- Audit devices (file, syslog, socket)
What Makes the Exam Tricky
- Question format variety. Like Terraform Associate: multi-choice, multi-select, fill-in-the-blank, matching, true/false. Don’t be surprised.
- KV v1 vs. KV v2. Several questions require knowing version differences and API path differences.
- Token nuances. Service vs. batch, periodic vs. orphan, revocation rules — high yield, low study weight in many guides.
- Lease vs. token confusion. They’re related but distinct concepts.
- AppRole vs. workload identity. Modern best practice favors cloud-native workload identity over AppRole; the exam tests both.
Hands-On Skills to Build
Before booking, you should be able to do these without consulting docs:
- Run a dev-mode Vault server locally and authenticate via
userpassandtoken - Enable KV v2 at a custom path and write/read versioned secrets
- Configure a database secrets engine generating dynamic PostgreSQL credentials
- Configure PKI: root CA → intermediate CA → role → issue a certificate
- Configure AWS secrets engine to generate STS tokens for an IAM role
- Configure Transit and encrypt/decrypt arbitrary data via the API
- Write an HCL policy granting read-only access to a specific KV path
- Create a token with a TTL, renew it, and then revoke it by accessor
- Enable an audit device to a file and view audit log entries
- Configure AppRole with role_id and secret_id, login, and use the resulting token
Recommended 4–6 Week Study Plan
Week 1: Architecture and CLI basics
- Storage backends, seal/unseal, HA basics
- Vault CLI fundamentals
- Token and policy basics
Week 2: Authentication methods
- Userpass, AppRole, OIDC, Kubernetes, cloud auth
- Token TTL and renewal
- Identity entities and groups
Week 3: Secrets engines
- KV v1 vs. v2 deep dive
- Database secrets engine (dynamic credentials)
- PKI (root + intermediate flow)
- AWS, Azure, GCP secrets engines
- Transit encryption-as-a-service
Week 4: Policies, leases, audit, UI/API
- HCL policy writing and templated policies
- Lease management and revocation
- Audit devices
- API path patterns and KV v2 quirks
Weeks 5–6: Practice exams
- 3+ full-length mocks from Sailor.sh’s Vault Associate mock exam bundle
- Targeted re-study on weakest objective
- Hands-on lab repetition
Free Resources
- HashiCorp Learn: “Get Certified” Vault Associate study guide — free, official
- Vault documentation: the canonical truth source for every secrets engine and auth method
- Vault tutorial videos on HashiCorp YouTube
- Sailor.sh Vault Associate mock exam bundle — realistic, 002-aligned exam practice
Salary Impact
Vault Associate alone won’t shift a salary band, but combined with relevant security or DevOps experience, it’s a meaningful resume signal:
- US: +$5K–$15K bump for “DevSecOps engineer + Vault Associate” over peers without it
- Strong signal for platform engineering, security engineering, and consulting roles
- Increasingly required at HashiCorp Partner consultancies
Vault Associate vs. Cloud Security Certs
| Certification | Provider | Cost | Focus | Validity |
|---|---|---|---|---|
| Vault Associate | HashiCorp | $70.50 | Vendor-neutral secrets management | 2 years |
| AZ-500 | Microsoft | $165 | Azure security | 1 year |
| AWS Security Specialty | AWS | $300 | AWS security | 3 years |
| CompTIA Security+ | CompTIA | $392 | General security fundamentals | 3 years |
| CISSP | (ISC)² | $749 | Enterprise security management | 3 years |
Vault Associate is the cheapest of the bunch and the only one with deep secrets-management focus.
Most Common Reasons People Fail
- Skipping the API path quirks. KV v2 paths (
/data/,/metadata/) trip up otherwise-prepared candidates. - Treating PKI lightly. Root vs. intermediate vs. role configuration is a common question source.
- Weak token type distinctions. Service vs. batch, orphan vs. periodic — tested with realistic scenarios.
- No hands-on practice. Memorizing concepts is insufficient; configure each major secrets engine end-to-end.
- Confusing leases and tokens. Both have TTLs but apply to different things.
After You Pass
Strong next moves:
- HashiCorp Terraform Associate: complementary IaC credential
- HashiCorp Vault Operations Professional (deeper, hands-on credential when available)
- Cloud security certs: AZ-500 or AWS Security Specialty
- General security depth: CompTIA Security+ or CISSP
Frequently Asked Questions
Q: Is Vault Associate worth it in 2026? A: Yes. Secrets management adoption is growing fast and Vault is the dominant tool. The exam is cheap and the credential signals real DevSecOps capability.
Q: How hard is the Vault Associate? A: Medium. With prior Vault experience, 4 weeks of focused prep suffices. Without it, plan 6–8 weeks plus serious hands-on lab time.
Q: Do I need Vault Enterprise to study? A: No — community Vault (free) covers most exam content. Enterprise-only features (namespaces, replication) are tested at a conceptual level only.
Q: Does Vault Associate expire? A: Yes, after 2 years. Retake or earn a higher HashiCorp credential.
Q: Can I pass with only Kubernetes experience using Vault? A: Possibly, if your Kubernetes experience includes Vault auth + secret injection. Still, broader exposure to other secrets engines and auth methods is essential.
Q: What’s the best practice resource? A: HashiCorp Learn + hands-on dev-mode practice + Sailor.sh’s Vault Associate mock exam bundle for realistic, 002-aligned questions.
Ready to Start?
Vault Associate is an unusually high-ROI security credential for engineers already adjacent to DevOps or security. Spend 4–6 weeks running dev-mode Vault, configuring each major secrets engine, and drilling realistic practice exams.
Take a free Vault Associate practice test on Sailor.sh to gauge readiness, then work the full mock exam bundle until you consistently score 85%+ across all nine objectives.