Question 12 - HashiCorp HCVA0-003 Real Exam Questions [Feb 2026 Update]

Q: 12

A DevOps engineer has set up LDAP and GitHub auth methods. The engineer must ensure user Sarah, who authenticates via either method, has consistent access permissions. Which approach correctly describes how to achieve this in Vault?

Options

Correct Answer:

Explanation

Comprehensive and Detailed In-Depth

To ensure consistent access permissions for Sarah across multiple authentication methods (LDAP and

GitHub), the correct approach in Vault is to create an entity for Sarah and map both her LDAP and

GitHub identities as entity aliases to this single entity.

Entities and Aliases in Vault: Vault’s Identity secrets engine allows the creation of entities, which are

logical representations of users or machines. Each entity can have multiple aliases, where an alias

corresponds to an identity from a specific auth method. By mapping Sarah’s LDAP identity (e.g., her

LDAP username) and GitHub identity (e.g., her GitHub username) as aliases to a single entity, Vault

associates both identities with one set of policies. The documentation states: "Vault clients can be

mapped as entities and their corresponding accounts with authentication providers can be mapped

as aliases."

Why This Works: Assigning policies to the entity ensures that Sarah’s permissions remain consistent

regardless of whether she logs in via LDAP or GitHub. This centralizes policy management and

eliminates discrepancies.

Incorrect Options:

B. External Group Approach: Creating an external group and adding LDAP and GitHub providers as

members does not inherently synchronize permissions for a single user like Sarah. External groups

are better suited for mapping group memberships from external systems to Vault policies, not

individual identity unification.

C. Separate Policies: Managing separate policies per auth method is error-prone and inefficient.

Manual synchronization risks inconsistencies, undermining security and manageability.

D. Trust Relationship: Vault does not support configuring trust relationships between auth methods

like LDAP and GitHub to sync accounts. This is a misunderstanding of Vault’s architecture.

This entity-based approach leverages Vault’s identity system to unify Sarah’s access, simplifying

administration and ensuring consistency.

Reference: https://developer.hashicorp.com/vault/tutorials/auth-methods/identity

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE