The HashiCorp Vault is an enigma’s management tool specifically designed to control access to sensitive identifications in a low-trust environment.
It can be used to store subtle values and at the same time dynamically generate access for specific services/applications on lease.
Interview Questions and Answers for Hashicrop Vault
1. What are Auth Methods?
Auth methods are the components in Vault that perform authentication and are responsible for assigning identity and a set of policies to a user.
2. Why there are so many Auth Methods?
Having multiple auth methods enables you to use an auth method that makes the most sense for your use case of Vault and your organization.
For example, on developer machines, the GitHub auth method is easiest to use. But for servers the AppRole method is the recommended choice.
3. When you enable Auth Methods. Which prefix is used to mount them?
auth/
All auth methods are mounted underneath the auth/ prefix. By default, auth methods are mounted to auth/<type>. For example, if you enable “github”, then you can interact with it at auth/github.
4. You can customize the mount path when you are enabling Auth Methods. Is this true, if so, why?
True
Allowing users with advanced use cases to mount a single auth method multiple times.
5. When an auth method is disabled, what happens to all the users authenticated via that method?
When an auth method is disabled, all users authenticated via that method are automatically logged out.
6. One ability of root token is to create new tokens. Is this true?
True
7. What is the command to create a token?
vault token create
8. How do you log in with the token you created?
vault login <generated token>
9. When you revoke the token what happens to all the tokens it created?
When a token is revoked it will revoke all the tokens that it created.
10. How do you enable the GitHub Auth Method?
vault auth enable github
The auth method is enabled and available at the path auth/github/
11. How do you configure GitHub engineering team authentication to be granted the default and application policies?
vault write auth/github/map/teams/emgineering value=default,applications
12. What is the command to list all the authentication methods that Vault has enabled?
vault auth list
13. Explain the authentication process of the Vault?
Before a client can interact with Vault, it must authenticate against an auth method. Upon authentication, a token is generated. This token is conceptually similar to a session ID on a website. The token may have attached policy, which is mapped at authentication time.
14. What does this statement vault write sys/auth/my-auth type=userpass mean?
This enables the “userpass” auth method at the path “my-auth”. This authentication will be accessible at the path “my-auth”. Often you will see authentications at the same path as their name, but this is not a requirement.
15. What is the AppRole Auth method is used for?
AppRole is an authentication mechanism within Vault to allow machines or apps to acquire a token to interact with Vault. It uses RoleID and SecretID for login.
16. Give an example of the auth method, which is used for users?
LDAP
17. You have a scenario where a DevOps team wants to configure Jenkins to read secrets from Vault so that it can inject the secrets into an app’s environment variables (e.g. MYSQL_DB_HOST) at deployment time. How can a Jenkins server programmatically request a token so that it can read secrets from Vault?
Enable AppRole auth method so that the Jenkins server can obtain a Vault token with appropriate policies attached. Since each AppRole has attached policies, you can write fine-grained policies limiting which app can access which path.
18. When enable authrole what are the two ids that apps use to log in?
RoleID
SecretID
// example
vault write auth/approle/login \
role_id=”675a50e7-cfe0-be76-e35f-49ec009731ea” \
secret_id=”ed0a642f-2acf-c2da-232f-1b21300d5f29″
19. What is the Pull Mode in Auth Method Authentication?
If the SecretID used for login is fetched from an AppRole, this is operating in Pull mode.
20.What is the Push Mode in Auth Method Authentication?
If a “custom” SecretID is set against an AppRole by the client, it is referred to as a Push mode.
21. Which auth method you should use to authenticate with the vault using OIDC or by providing a JWT?
JWT/OIDC
22. Which auth method you should use to authenticate with vault using a kubernetes Service Account Token?
Kubernetes
23. Which auth method allows users to authenticate using a token?
token
Create Vault policies
Practice questions based on these concepts
Illustrate the value of Vault policy
Describe Vault policy syntax: path
Describe Vault policy syntax: capabilities
Craft a Vault policy based on requirements
24. What are Policies?
Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.
25. Policies are denied by default. Is this true?
True
Policies are deny by default, so an empty policy grants no permission in the system.
26. Can you explain the Policy Syntax?
Policies are written in HCL or JSON and describe which paths in Vault a user or machine is allowed to access.
Policies use path-based matching to test the set of capabilities against a request. A policy path may specify an exact path to match, or it could specify a glob pattern which instructs Vault to use a prefix match:
// Examples
path “secret/foo” {
capabilities = [“read”]
}
# Permit reading only “secret/foo”. An attached token cannot read “secret/food”
# or “secret/foo/bar”.
path “secret/foo” {
capabilities = [“read”]
}
# Permit reading everything under “secret/bar”. An attached token could read
# “secret/bar/zip”, “secret/bar/zip/zap”, but not “secret/bars/zip”.
path “secret/bar/*” {
capabilities = [“read”]
}
# Permit reading everything prefixed with “zip-“. An attached token could read
# “secret/zip-zap” or “secret/zip-zap/zong”, but not “secret/zip/zap
path “secret/zip-*” {
capabilities = [“read”]
}
27. You want to Permit reading the “teamb” path under any top-level path under secret/. How do you define the policy?
path “secret/+/teamb” {
capabilities = [“read”]
}
28. Why Policies with list capabilities should end with a trailing slash?
When providing list capability, it is important to note that since listing always operates on a prefix, policies must operate on a prefix because Vault will sanitize request paths to be prefixes. In other words, policy paths targeting list capability should end with a trailing slash:
29. What are all the available capabilities for the policies?
Create (POST/PUT) – Allows creating data at the given path. Very few parts of Vault distinguish between create and update, so most operations require both create and update capabilities. Parts of Vault that provide such a distinction are noted in documentation.
Read (GET) – Allows reading the data at the given path.
Update (PUT/POST) – Allows changing the data at the given path. In most parts of Vault, this implicitly includes the ability to create the initial value at the path.
Delete (DELETE)- Allows deleting the data at the given path.
List (LIST)- Allows listing values at the given path. Note that the keys returned by a list operation are not filtered by policies. Do not encode sensitive information in key names. Not all backends support listing.
sudo – Allows access to paths that are root-protected. Tokens are not permitted to interact with these paths unless they have the sudo capability (in addition to the other necessary capabilities for performing an operation against that path, such as read or delete).
deny – Disallows access. This always takes precedence regardless of any other defined capabilities, including sudo.
30. What are templated policies?
The policy syntax allows for doing variable replacement in some policy strings with values available to the token. Currently identity information can be injected, and currently the path keys in policies allow injection.
// Examples
path “secret/data/{{identity.entity.id}}/*” {
capabilities = [“create”, “update”, “read”, “delete”]
}
path “secret/metadata/{{identity.entity.id}}/*” {
capabilities = [“list”]
}
30. Can we store files in HashiCorp vault?
If you want to store large files inside of Vault:
It’s a simpler setup and you can do point-in-time live snapshots. Plus if you find you need the space in the future, you can just migrate your storage backend.
31. What can be stored in the HashiCorp vault?
Vault encrypts data using 256-bit AES with GCM. It can store data in various backends (files, Amazon DynamoDB, Consul, etc, and much more). The other key aspect is that Vault never stores a key in a persistent location.
32. Is HashiCorp vault on premise?
HashiCorp Vault: Multi-Cloud Secrets Management Simplified
Vault allows you to centrally manage and securely store secrets across on-premises infrastructure and the cloud using a single system. The Vault API exposes cryptographic operations for developers to secure sensitive data without exposing encryption keys.
33. What are secrets HashiCorp?
Secrets engines are Vault components which store, generate or encrypt secrets. In Your First Secrets tutorial, you used the key/value v2 secrets engine to store data. Some secret engines like the key/value secrets engines simply store and read data. … Other secret engines provide encryption as a service.
34. How does HashiCorp vault store keys?
SSH keys to connect to remote machines are shared and stored as plaintext. API keys to invoke external system APIs are stored as plaintext. An app integrates with LDAP, and its configuration information is in plaintext.
35. What is the HashiCorp key vault?
HashiCorp Vault enables organizations to secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
36. What is the backend in the vault?
The storage stanza configures the storage backend, which represents the location for the durable storage of Vault’s information. Each backend has pros, cons, advantages, and trade-offs. For example, some back ends support high availability while others provide a more robust backup and restoration process.
37. What is Vault cloud?
Vault Cloud provides premium, full-service cloud computing solutions with Australia’s highest security standards. Built on advanced OpenStack architecture with powerful Intel processors, lightning-fast solid-state storage, and AI and machine learning accelerators, it also delivers unparalleled performance.
38. Is it possible to start Vault dev server on 0.0.0.0 instead of 127.0.0.1?
Start your Vault server with the following command:
vault server -dev -dev-listen-address=”0.0.0.0:8200″
You can also specify the address via the VAULT_DEV_LISTEN_ADDRESS environment variable.
39. You have a requirement to enable and manage authentication methods broadly across vault. How do you define the policy?
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
40. You have a requirement to create, update, and delete auth methods. How do you define the policy?
# Create, update, and delete auth methods
path "sys/auth/*"
{
capabilities = ["create", "update", "delete", "sudo"]
}
41. You have a requirement to manage the secrets engine. How do you define the policy?
# Manage secrets engines
path "sys/mounts/*"
{
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
42. What are the built-in policies in the vault?
root policy
default policy
43. You can’t modify the default policy. True/False?
False
44. You can’t modify or remove the root policy. True/False?
True
45. How do you create a token without a default policy attached to it?
vault token create -no-default-policy
46. You want to create a policy at the path secret/foo with the parameters named bar and baz. These parameters are required. How do you define the policy?
required_parameters – A list of parameters that must be specified.
path “secret/foo” {
capabilities = [“create”]
required_parameters = [“bar”, “baz”]
}
47. How do you whitelists a list of keys and values that are permitted on the given path when defining the policy?
allowed_parameters
48. How do you blacklist a list of keys and values that are permitted on the given path when defining the policy?
denied_paramters
49. You want to access root-protected paths with the token. Which capability should you give?
sudo
50. of all the capabilities which take precedence when specified?
Deny
- Implementing Managed IT Services: A Step-by-Step Guide - August 30, 2024
- DevOps Foundation Certification - August 29, 2024
- SRE Foundation Certification - August 29, 2024