Key skills
AnsibleCloudDockerGoogle Cloud PlatformGrafanaJenkinsKubernetesLinuxOpenShiftPrometheusRealmTerraformVaultGCPGoogle CloudGitHub ActionsGitLab CIGKEHelmArgoCDIAMSAMLLDAPSSOKeycloakGitHubGitLabCI/CD
About this role
Role Overview
- We are seeking a Mid-level IAM, Secrets and PKI Engineer to join the Identity and Access Management team of a large internal platform programme in the energy sector.
- You will design, implement and operate Keycloak and HashiCorp Vault across a hybrid cloud environment, delivering scalable, secure and federated access management alongside a robust PKI and secrets management capability.
- Implementing RBAC/ABAC policies and multi-realm setups in Keycloak, mapping Kerberos/IPA identities and groups into realms, roles and clients
- Configuring SSO flows, MFA and identity federation across hybrid cloud and on-premises workloads
- Deploying Keycloak on VMs, Docker and Kubernetes (OpenShift and bare-metal), configuring OIDC, OAuth2, SAML and Kerberos/LDAP federation
- Deploying Keycloak on GKE with Helm/Operators, integrating with Google Identity and mapping Keycloak roles to GCP IAM roles
- Configuring HashiCorp Vault to secure Keycloak operational secrets, implementing dynamic secrets for DB backends and integrating Vault Agent/Sidecar injector for secret injection into Keycloak pods
- Deploying and operating Vault in production on Linux-based systems, including HA, Raft storage, seal/unseal mechanisms and HSM/KMS integration
- Managing Vault PKI operations including intermediates, issuing CAs, short-lived certificate issuance, CRL/OCSP integration and automated revocation
- Implementing ACME v2, EST for devices, AIA/CRL/OCSP publishing and RFC 5280 profiles
- Automating Keycloak and Vault deployment and configuration using Terraform, Helm and Ansible
- Integrating certificate and secret distribution into CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI)
- Monitoring both platforms with Prometheus and Grafana and managing incident response for expired certificates, Vault unseal failures and IPA migration issues
Requirements
- Strong knowledge of authentication protocols including OIDC, OAuth2, SAML, Kerberos and LDAP
- Expertise with Keycloak deployment across VM, Kubernetes and optionally GCP
- Experience integrating Vault for secrets management
- Experience with Terraform, Helm and ArgoCD automation
- Expertise troubleshooting hybrid IAM flows
- Vault Fundamentals: hands-on experience deploying and managing Vault clusters in production including HA, Raft storage, seal/unseal (KMS/HSM) and PKI secrets engine operations
- PKI Secrets Engine: experience managing intermediates, role definitions, short-lived certificate issuance, CRLs and automated revocation, with ability to integrate PKI with applications and services
- Certificate Lifecycle Management: experience automating issuance and renewal via Vault Agent, API or CI/CD pipelines, including rotation policies, revocation and certificate policy SLOs
- Integration experience with enterprise systems including Kubernetes ingress, load balancers, VPN, S/MIME, databases, ACME, EST and revocation protocols
- Experience implementing RBAC, audit devices and HSM/KMS key protection
- Fluent English (C1 minimum)
Tech Stack
- Ansible
- Cloud
- Docker
- Google Cloud Platform
- Grafana
- Jenkins
- Kubernetes
- Linux
- OpenShift
- Prometheus
- Realm
- Terraform
- Vault
Benefits
- flexible working hours
- the freedom to choose your own projects
- access to exciting projects in various industries
- competitive pay
- dedicated team support