The key/value v2 secrets engine is enabled at secret/. See the following policy:
Which of the following operations are permitted by this policy? (Choose two.)
Exam Vault Associate 002 All QuestionsBrowse all questions from this exam
Question 40
Correct Answer: A, B
The policy allows 'create', 'read', 'update', 'delete', and 'list' capabilities for paths under 'secret/data/*', which includes 'secret/webapp1'. Therefore, the operations 'vault kv get secret/webapp1' (which requires 'read') and 'vault kv put secret/webapp1 apikey-'ABCDEFGHIDK123W'' (which requires 'create' or 'update') are permitted. However, the policy explicitly denies any action on 'secret/data/super-secret', so operations 'vault kv delete secret/super-secret' and 'vault kv list secret/super-secret' are not permitted. Metadata operations are not listed among the capabilities, making the metadata option not applicable. Hence, the correct answers are: 'vault kv get secret/webapp1' and 'vault kv put secret/webapp1 apikey-'ABCDEFGHIDK123W''.
Discussion
daz_rekkaOptions: AB
The KV Put and KV Get operations require the read, create, and update capabilities granted in the first part of the policy so A & B are correct. Metadata is not one of the listed capabilities in the first section of the policy so C is wrong. The deny in the second part of the policy prevents D & E.