All resources
Vault · Interview prep

Vault & secrets management interview questions

HashiCorp Vault and secrets-management interview questions from fresher to senior — fundamentals, dynamic secrets and engines, Kubernetes and app integration, and operations and security, tagged by experience level.

ExperienceAll levelsFresherJuniorMidSenior

Fresher 0–1y · Junior 1–3y · Mid 3–6y · Senior 6+y — every answer is tagged so you can prep for your level.

Fundamentals
What problem does Vault solve?Fresher

Centralized secrets management with identity-based access, auditing, leasing, and rotation — so credentials are not scattered in config files, env vars, and CI, and every access is authenticated and logged.

Store and read a secret
vault kv put secret/app db_pass=s3cr3t
vault kv get -field=db_pass secret/app
Everything in Vault is a path — what does that mean?Junior

Vault exposes engines and auth methods as API paths (secret/, database/, auth/kubernetes/). You read/write those paths, and policies grant capabilities per path — so the access model and the API are the same thing.

Paths are the API
vault secrets list           # mounted engines and their paths
vault kv get secret/app      # read == GET on a path
KV v1 vs KV v2?Junior

Both store static key/value secrets; v2 adds versioning (history and rollback), soft delete, and check-and-set writes. v2 is the default for new mounts and preferred unless you need the lighter v1 semantics.

Versioning with v2
vault kv put secret/app pass=v2         # creates version 2
vault kv get -version=1 secret/app      # read an old version
vault kv rollback -version=1 secret/app
What is seal/unseal?Mid

Vault starts sealed with its master key split (Shamir) into shares; unsealing reconstructs the key in memory to decrypt storage. Auto-unseal delegates this to a cloud KMS/HSM so operators are not needed for every restart.

Sealed means the encryption key is not in memory, so storage is useless to an attacker who steals the disk. Shamir requires a quorum of key-holders to unseal by hand; auto-unseal hands that job to a KMS/HSM so restarts do not need humans, at the cost of trusting that KMS.

start sealedquorum of key shares (or KMS)master key in memoryunsealed: serves requests
How do auth methods and tokens relate?Junior

An auth method (Kubernetes, AppRole, OIDC, AWS IAM) verifies an identity and issues a token bound to policies and a TTL. The token — not a static password — is what a client presents for subsequent requests.

Log in, get a token
vault login -method=userpass username=alice
# returns a token bound to policies + TTL; used for later calls
Dynamic secrets & engines
What are dynamic secrets?Mid

Vault generates credentials on demand with a lease and TTL (e.g. a short-lived database user) and revokes them at expiry, so no long-lived shared credential exists and a leak is automatically time-bounded.

Nobody — not even the app — holds a permanent database password. The app asks Vault at startup, gets a unique user valid for, say, an hour, and Vault deletes it at expiry. A leaked credential is useless within the TTL, and every issue is tied to an identity in the audit log.

app authenticatesVault creates a DB userlease + short TTLauto-revoked at expiry
On-demand DB creds
vault read database/creds/readonly
# -> unique username + password, lease_id, ttl=1h
Static vs dynamic secrets — when do you use each?Mid

Use dynamic wherever the backend supports it (databases, cloud IAM, SSH) so rotation is automatic and blast radius is bounded. Static KV is for things Vault cannot generate — third-party API keys, certificates you receive — which you then rotate on a schedule.

What does the transit engine do?Mid

Encryption as a service — apps send plaintext and get ciphertext without ever holding the key, and Vault handles key rotation and rewrapping. It also does signing and HMAC, keeping key material inside Vault.

Encrypt without holding a key
vault write transit/encrypt/orders plaintext=$(base64 <<< "hi")
# app never sees the key; rotate with: vault write -f transit/keys/orders/rotate
How does Vault act as a PKI/CA?Mid

The PKI engine issues short-lived X.509 certs on request from a configured CA, enabling automated mTLS with certs that rotate frequently instead of long-lived, manually managed ones.

Issue a short-lived cert
vault write pki/issue/web common_name=web.example.com ttl=72h
# returns cert + key + chain; renew before expiry
What are leases, TTLs, and revocation?Mid

Every dynamic secret and token has a lease with a TTL; clients renew before expiry or the secret is revoked automatically. Operators can revoke a lease (or a whole tree) instantly during an incident — a key advantage over static secrets.

Revoke on incident
vault lease revoke -prefix database/creds/readonly
# kills every credential that engine issued, at once
Kubernetes & apps
How does Kubernetes auth to Vault work?Mid

The workload presents its projected ServiceAccount token; Vault validates it with the cluster’s TokenReview API and maps the SA/namespace to a Vault role and policies — no static Vault credential in the Pod.

The Pod already has an identity it did not choose — its ServiceAccount token. Vault trusts the cluster to vouch for it via TokenReview, then applies the policies bound to that SA. This is how you avoid the secret-zero problem inside Kubernetes.

Pod SA tokenVault -> TokenReviewmap SA/ns to role + policyissue Vault token
Bind a role to a ServiceAccount
vault write auth/kubernetes/role/app bound_service_account_names=app bound_service_account_namespaces=prod policies=app ttl=1h
Agent injector vs CSI vs External Secrets Operator?Senior

The agent injector mutates Pods to add a sidecar that fetches and renews secrets to a file; the Secrets Store CSI driver mounts them as a volume; ESO syncs Vault secrets into native Kubernetes Secrets. Choice depends on whether apps read files, env, or k8s Secrets.

Injector needs no app change and auto-renews but adds a sidecar per Pod; CSI mounts secrets as files with no sidecar; ESO turns Vault into the source for ordinary k8s Secrets, which is simplest for apps that already read Secrets — but then the secret does land in etcd.

How does an app actually get a secret with the injector?Mid

You annotate the Pod with the Vault role and which secret to fetch; the injector adds an init/sidecar agent that authenticates, writes the secret to a shared file, and keeps it renewed. The app just reads the file.

Pod annotations
annotations:
  vault.hashicorp.com/agent-inject: "true"
  vault.hashicorp.com/role: "app"
  vault.hashicorp.com/agent-inject-secret-db: "database/creds/app"
What is the "secret zero" problem?Senior

To get secrets you first need a credential to authenticate — the bootstrap secret. The answer is platform identity (Kubernetes SA token, cloud instance identity) that the environment already trusts, so no static secret is pre-planted.

You cannot hand out a secret to fetch secrets without an infinite regress. The way out is an identity the platform already issues — a Pod SA token, an EC2 instance identity document — that Vault can verify. There is nothing to plant because the environment vouches for the workload.

platform issues identityworkload presents itVault verifies with platformgrants a token
When would you use AppRole?Mid

For automated, non-human clients (CI, apps outside k8s) that authenticate with a RoleID plus a Secret ID delivered out-of-band. It fits environments without a platform identity to leverage.

RoleID + SecretID
vault write auth/approle/role/ci token_policies=ci token_ttl=20m
vault read  auth/approle/role/ci/role-id       # long-lived id
vault write -f auth/approle/role/ci/secret-id  # short-lived secret
Operations & security
How do Vault policies work?Mid

HCL policies grant capabilities (read/create/update/delete/list) on specific paths, deny-by-default and attached to tokens via auth roles. Least-privilege path scoping is the core of Vault access control.

A least-privilege policy
# app can only read its own secrets
path "secret/data/app/*" {
  capabilities = ["read"]
}
path "database/creds/app" {
  capabilities = ["read"]
}
How does Vault provide HA and DR?Senior

Integrated Storage (Raft) replicates across nodes with a leader for HA; Enterprise adds performance and DR replication across regions. Back up Raft snapshots and rehearse restore, and protect the unseal path.

Raft gives a self-contained HA cluster (odd number of nodes, one leader). The disaster you must rehearse is losing it entirely: take periodic snapshots, store them safely, and practice restore — and remember a restored Vault is sealed, so the unseal path must survive the disaster too.

Raft cluster (3/5 nodes)periodic snapshotoff-site copyrestore + unseal drill
Why enable audit devices, and what do they capture?Senior

Audit devices log every request and response (with sensitive values HMAC’d) to file/syslog/socket, giving a tamper-evident trail of who accessed what. Vault refuses requests if it cannot write audit logs — auditing is mandatory, not optional.

Turn on an audit device
vault audit enable file file_path=/var/log/vault_audit.log
# secret values are HMAC-ed, so the log is safe to ship to a SIEM
How do you handle rotation and break-glass?Senior

Prefer dynamic secrets so rotation is automatic; for static ones use the rotate-root and versioned KV features on a schedule. Break-glass is a tightly-audited, high-privilege path with alerting, used only in emergencies and rotated after.

Dynamic secrets rotate themselves at every lease. For the unavoidable static ones, Vault can rotate the root/binding credential so even you never see it. Break-glass access is a separate, heavily-alerted role you assume only in an incident and revoke/rotate immediately after.

Go deeper
Full, hands-on DevSecOps courses
Browse courses