Beta

HashiCorp Certified: Vault Associate Certification

Assess Vault Tokens

Exam Tips for Objective 3

Before you dive into exam questions, ensure you have a solid grasp of Vault’s token system. In this lesson, we’ll cover:

  • An overview of all token types
  • Key differences between Service and Batch tokens
  • How to use the vault token command
  • Root Token best practices

Token Types Overview

The image provides exam tips about different types of tokens, including Service, Batch, Root, Periodic, Orphan, and CIDR-Bound Tokens, and emphasizes understanding their unique characteristics and use cases.

Token TypeTTL RenewalRevocationStorage Behavior
ServiceConfigurable ✓Persisted in Vault’s storage backend
BatchEncrypted blob, not persisted
Root— (never expires)Persisted
PeriodicPersisted
OrphanPersisted (no parent)
CIDR-BoundPersisted (IP-restricted)

Key actions you should be able to perform:

  • List all token types
  • Describe TTL, renewal, revocation, and storage details for each
  • Match real-world use cases to the appropriate token

Service vs. Batch Tokens

The image provides exam tips related to service and batch tokens, emphasizing the differences, storage practices, and the use of the "vault token" command. It features a stylized character in the bottom right corner.

FeatureService TokensBatch Tokens
RenewabilityFully renewableNot renewable
RevocabilityFully revocableNot revocable
Storage Backend ImpactPersisted to backendNo backend storage
Use CaseLong-lived clients, automationOne-time operations, scale concerns

Note

Use batch tokens when you need to minimize storage-backend impact.

Practice with vault token

Launch a local Dev Server and run:

# Create a batch token
vault token create -type=batch

# Renew a service token
vault token renew <service-token>

# Revoke any token
vault token revoke <token>

Root Token Essentials

The image provides exam tips related to root tokens and Vault, including creating and revoking root tokens, actions with a token accessor, and the default TTL in Vault.

  • Creation Methods
    • Initial root token at initialization
    • Generate new root with an existing root token
    • Emergency root via unseal or recovery keys
  • Best Practice: Always revoke root tokens immediately after completing privileged tasks.
  • Token Accessors support only these operations: lookup, renew, revoke_self, revocation. For any other action, the actual token is required.
  • Default TTL: 768 hours (32 days) if none specified.

Warning

Root tokens never expire by default and grant full access—handle them with extreme care.

After reviewing these concepts, be sure to complete the practice quizzes in this section to validate your understanding. Good luck on your exam preparation!

Watch Video

Watch video content

Previous
Create a Token based on Use Cases
Next
Section Overview