IAM KeyCloak Secrets PKI Engineer

Interval Group

IAM KeyCloak Secrets PKI Engineer designing and operating Keycloak and HashiCorp Vault in hybrid cloud environments. Focusing on scalable secure access management for the energy sector.

Posted 6/1/2026contractRemote • 🇩🇪 GermanyMid-LevelSeniorWebsite

Tech Stack

Tools & technologies

AnsibleCloudDockerGoogle Cloud PlatformGrafanaJenkinsKubernetesLinuxOpenShiftPrometheusRealmTerraformVault

About the role

Key responsibilities & impact

We are seeking a Mid-level IAM, Secrets and PKI Engineer to join the Identity and Access Management team of a large internal platform programme in the energy sector.
You will design, implement and operate Keycloak and HashiCorp Vault across a hybrid cloud environment, delivering scalable, secure and federated access management alongside a robust PKI and secrets management capability.
Implementing RBAC/ABAC policies and multi-realm setups in Keycloak, mapping Kerberos/IPA identities and groups into realms, roles and clients
Configuring SSO flows, MFA and identity federation across hybrid cloud and on-premises workloads
Deploying Keycloak on VMs, Docker and Kubernetes (OpenShift and bare-metal), configuring OIDC, OAuth2, SAML and Kerberos/LDAP federation
Deploying Keycloak on GKE with Helm/Operators, integrating with Google Identity and mapping Keycloak roles to GCP IAM roles
Configuring HashiCorp Vault to secure Keycloak operational secrets, implementing dynamic secrets for DB backends and integrating Vault Agent/Sidecar injector for secret injection into Keycloak pods
Deploying and operating Vault in production on Linux-based systems, including HA, Raft storage, seal/unseal mechanisms and HSM/KMS integration
Managing Vault PKI operations including intermediates, issuing CAs, short-lived certificate issuance, CRL/OCSP integration and automated revocation
Implementing ACME v2, EST for devices, AIA/CRL/OCSP publishing and RFC 5280 profiles
Automating Keycloak and Vault deployment and configuration using Terraform, Helm and Ansible
Integrating certificate and secret distribution into CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI)
Monitoring both platforms with Prometheus and Grafana and managing incident response for expired certificates, Vault unseal failures and IPA migration issues

Requirements

What you’ll need

Strong knowledge of authentication protocols including OIDC, OAuth2, SAML, Kerberos and LDAP
Expertise with Keycloak deployment across VM, Kubernetes and optionally GCP
Experience integrating Vault for secrets management
Experience with Terraform, Helm and ArgoCD automation
Expertise troubleshooting hybrid IAM flows
Vault Fundamentals: hands-on experience deploying and managing Vault clusters in production including HA, Raft storage, seal/unseal (KMS/HSM) and PKI secrets engine operations
PKI Secrets Engine: experience managing intermediates, role definitions, short-lived certificate issuance, CRLs and automated revocation, with ability to integrate PKI with applications and services
Certificate Lifecycle Management: experience automating issuance and renewal via Vault Agent, API or CI/CD pipelines, including rotation policies, revocation and certificate policy SLOs
Integration experience with enterprise systems including Kubernetes ingress, load balancers, VPN, S/MIME, databases, ACME, EST and revocation protocols
Experience implementing RBAC, audit devices and HSM/KMS key protection
Fluent English (C1 minimum)

Benefits

Comp & perks

flexible working hours
the freedom to choose your own projects
access to exciting projects in various industries
competitive pay
dedicated team support

ATS Keywords

✓ Tailor your resume

Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools

KeycloakHashiCorp VaultRBACABACOIDCOAuth2SAMLKerberosTerraformAnsible

Soft Skills

troubleshootingincident responseautomation

Certifications

Vault Fundamentals