IAM KeyCloak Secrets PKI Engineer

This is a fully remote position, open to applicants in Germany.

📋 Description

• We are looking for a Mid-level IAM, Secrets, and PKI Engineer to join the Identity and Access Management team for a significant internal platform initiative within the energy sector.

• You will be responsible for designing, implementing, and managing Keycloak and HashiCorp Vault across a hybrid cloud environment, providing scalable, secure, and federated access management along with a strong PKI and secrets management capability.

• You will implement RBAC/ABAC policies and multi-realm configurations in Keycloak, mapping Kerberos/IPA identities and groups into realms, roles, and clients.

• You will configure SSO flows, MFA, and identity federation across both hybrid cloud and on-premises workloads.

• You will deploy Keycloak on VMs, Docker, and Kubernetes (OpenShift and bare-metal), while configuring OIDC, OAuth2, SAML, and Kerberos/LDAP federation.

• You will deploy Keycloak on GKE using Helm/Operators, integrating it with Google Identity and aligning Keycloak roles to GCP IAM roles.

• You will set up HashiCorp Vault to secure Keycloak operational secrets, implement dynamic secrets for database backends, and integrate Vault Agent/Sidecar injector for secret injection into Keycloak pods.

• You will deploy and manage Vault in production on Linux-based systems, including high availability (HA), Raft storage, seal/unseal mechanisms, and HSM/KMS integration.

• You will oversee Vault PKI operations, managing intermediates, issuing CAs, facilitating short-lived certificate issuance, CRL/OCSP integration, and automated revocation.

• You will implement ACME v2, EST for devices, AIA/CRL/OCSP publishing, and adhere to RFC 5280 profiles.

• You will automate Keycloak and Vault deployment and configuration using Terraform, Helm, and Ansible.

• You will integrate certificate and secret distribution into CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI).

• You will monitor both platforms using Prometheus and Grafana and manage incident responses for expired certificates, Vault unseal failures, and IPA migration challenges.

⛳️ Requirements

• Strong understanding of authentication protocols including OIDC, OAuth2, SAML, Kerberos, and LDAP.

• Proficiency in deploying Keycloak across VM, Kubernetes, and optionally GCP.

• Experience in integrating Vault for effective secrets management.

• Familiarity with automation tools such as Terraform, Helm, and ArgoCD.

• Expertise in troubleshooting hybrid IAM workflows.

• Vault Fundamentals: practical experience in deploying and managing Vault clusters in production, including HA, Raft storage, and seal/unseal (KMS/HSM) operations, alongside PKI secrets engine management.

• PKI Secrets Engine: experience in managing intermediates, role definitions, short-lived certificate issuance, CRLs, and automated revocation, with the ability to integrate PKI with applications and services.

• Certificate Lifecycle Management: experience in automating issuance and renewal via Vault Agent, API, or CI/CD pipelines, including rotation policies, revocation, and certificate policy SLOs.

• Experience in integrating with enterprise systems including Kubernetes ingress, load balancers, VPN, S/MIME, databases, ACME, EST, and revocation protocols.

• Experience with implementing RBAC, auditing devices, and HSM/KMS key protection.

• Fluent in English (C1 minimum).

🏝️ Benefits

• Flexible working hours.

• The freedom to select your own projects.

• Access to exciting projects across various industries.

• Competitive salary.

• Dedicated team support.