When you need Vault to store credentials that were created by a third-party platform, such as Active Directory or API keys from a partner website, you need to use the KV secrets engine. The KV secrets engine is the ONLY secrets engine that can actually store credentials in Vault.

Vault KV has two different versions of the KV secrets engine, version 1 and version 2. Version 2 is a versioned KV store, meaning that it can store the current and previous versions of a particular secret. You can even configure a KV V2 secrets engine to only keep a certain number of versions for a secret as well.

More information about the KV V2 secrets engine can be found here

This page also gives a good rundown on each of the versions of the KV secrets engine

AppRole is an auth method that is better suited for machine-to-machine authentication. The other auth methods options are human, or user-based, auth methods. Technically you COULD use some of these auth methods, but AppRole is the best in this situation since it's a machine authenticating to Vault.

https://www.vaultproject.io/docs/auth/approle

To view information about a token, the command vault token lookup can be used on the CLI. This command will display lots of information and metadata associated with a particular token. This information includes TTL, number of uses, type of token, policies, and more.

There are two different ways you can use the vault token lookup command. If you are logged into Vault and want to check the current token being used, you can just use vault token lookup. If you want to check a different token, you can use vault token lookup <token>. You can also use -accessor flag if you only know the accessor and not the token.

1. $ vault token lookup s.DjWW03Jn6i4RFhFngUPu8nYB
2. Key Value
3. --- -----
4. accessor yQbBeuJIvDPdf38v5lWAcxXN
5. creation_time 1633796417
6. creation_ttl 768h
7. display_name token
8. entity_id n/a
9. expire_time 2021-11-10T11:20:17.5104784-05:00
10. explicit_max_ttl 0s
11. id s.DjWW03Jn6i4RFhFngUPu8nYB
12. issue_time 2021-10-09T12:20:17.5104784-04:00
13. meta <nil>
14. num_uses 0
15. orphan false
16. path auth/token/create
17. policies [default training]
18. renewable true
19. ttl 767h59m37s
20. type service

Incorrect Answers:

vault operator diagnose is a new command in Vault 1.8 that allows you to troubleshoot a Vault node where the Vault service will not start.

vault policy list will list the current policies on the Vault node/cluster. It does not show what tokens are associated with each policy.

vault token capabilities will list the capabilities on a certain path for the referenced token. You provide the token and the path you want to check and Vault will return a list of capabilities (list, read, create, etc) that is permitted on the referenced path.

The Transit secrets engine is used to encrypt data in transit. It does NOT store the data locally. It simply encrypts the data and returns the ciphertext to the requester. When you encrypt/decrypt data, the request must include the desired encryption key for the operation. The keys are stored in Vault and not the application servers themselves.

Incorrect Answers:

 * The Transit secrets engine does not create X.509 certificates. The PKI secrets engine provides that functionality.

 * The Transit secrets engine does not generate dynamic SSH credentials. That's what the SSH secrets engine does for you.

 * The Transit secrets engine does not store data. It only encrypts/decrypts data in transit and returns the ciphertext/cleartext

More information about the Transit secrets engine can be found here.