Weare looking for an IAM PKI Engineer to join its internal platform team. In this role, you will design, implement and operate Identity & Access Management services — including Keycloak, HashiCorp Vault and PKI infrastructure — working closely with the EDP IAM team in an agile, sprint-based delivery environment.
Implement and maintain Keycloak deployments on VMs, Kubernetes (OpenShift, bare-metal, GKE) and Docker, including OIDC, OAuth2, SAML and Kerberos/LDAP federation.
Configure RBAC/ABAC policies, multi-realm and multi-tenant setups across hybrid cloud and on-prem workloads.
Integrate Keycloak with IPA/LDAP/AD for identity sync, and with Google Identity as an IdP or broker.
Deploy and operate HashiCorp Vault in production on Linux-based systems, including HA clusters, Raft storage, seal/unseal mechanisms (Shamir, HSM, cloud KMS).
Configure Vault for securing Keycloak operational secrets, implementing dynamic secrets and secret rotation policies.
Set up and manage the Vault PKI secrets engine: internal CAs, intermediates, short-lived certificate issuance, CRL/OCSP, and automated revocation.
Integrate PKI with enterprise services such as Kubernetes ingress controllers, load balancers, web servers and VPNs.
Automate deployment and configuration of Keycloak and Vault using Terraform, Helm and/or Ansible, following IaC and GitOps practices.
Work on CI/CD integration (GitHub Actions, GitLab CI, Jenkins) for certificate and secret distribution.
Monitor both platforms with Prometheus and Grafana; handle incident response for expired certificates, Vault unseal failures and IPA migration issues.
Strong hands-on knowledge of authentication and authorisation protocols: OIDC, OAuth2, SAML, Kerberos and LDAP.
Proven experience deploying and managing Keycloak on VM and/or Kubernetes environments.
Demonstrated experience with HashiCorp Vault in production: HA clusters, Raft storage, seal/unseal configuration (KMS/HSM) and PKI secrets engine operations.
Experience managing PKI infrastructure: intermediate CAs, role definitions, short-lived certificate issuance, CRLs and automated revocation.
Experience automating certificate lifecycle management via Vault Agent, API or CI/CD pipelines, including rotation policies and revocation.
Experience integrating PKI with enterprise systems (Kubernetes ingress, load balancers, VPN, S/MIME, databases).
Hands-on experience with Terraform, Helm and/or ArgoCD for infrastructure automation.
Experience with Prometheus and Grafana for monitoring; ability to troubleshoot unseal, auth and CRL issues and perform backup & restore.
