IAM KeyCloak Secrets PKI Engineer (PID0647)

This is a remote position.

IAM KeyCloak Secrets PKI Engineer (PID0647) IAM Contract / Freelance

• Contract / Freelance
  
• Full-time
  
• Remote with travel readiness required (Germany)
  
• Start: 01.07.2026
  

About the role

We are seeking a Mid-level IAM Secrets and PKI Engineer to join the Identity and Access Management team of a large internal platform programme in the energy sector. You will design implement and operate Keycloak and HashiCorp Vault across a hybrid cloud environment delivering scalable secure and federated access management alongside a robust PKI and secrets management capability.

What youll be doing

• Implementing RBAC/ABAC policies and multi-realm setups in Keycloak mapping Kerberos/IPA identities and groups into realms roles and clients
  
• Configuring SSO flows MFA and identity federation across hybrid cloud and on-premises workloads
  
• Deploying Keycloak on VMs Docker and Kubernetes (OpenShift and bare-metal) configuring OIDC OAuth2 SAML and Kerberos/LDAP federation
  
• Deploying Keycloak on GKE with Helm/Operators integrating with Google Identity and mapping Keycloak roles to GCP IAM roles
  
• Configuring HashiCorp Vault to secure Keycloak operational secrets implementing dynamic secrets for DB backends and integrating Vault Agent/Sidecar injector for secret injection into Keycloak pods
  
• Deploying and operating Vault in production on Linux-based systems including HA Raft storage seal/unseal mechanisms and HSM/KMS integration
  
• Managing Vault PKI operations including intermediates issuing CAs short-lived certificate issuance CRL/OCSP integration and automated revocation
  
• Implementing ACME v2 EST for devices AIA/CRL/OCSP publishing and RFC 5280 profiles
  
• Automating Keycloak and Vault deployment and configuration using Terraform Helm and Ansible
  
• Integrating certificate and secret distribution into CI/CD pipelines (Jenkins GitHub Actions GitLab CI)
  
• Monitoring both platforms with Prometheus and Grafana and managing incident response for expired certificates Vault unseal failures and IPA migration issues
  

Requirements

What youll need

• Strong knowledge of authentication protocols including OIDC OAuth2 SAML Kerberos and LDAP
  
• Expertise with Keycloak deployment across VM Kubernetes and optionally GCP
  
• Experience integrating Vault for secrets management
  
• Experience with Terraform Helm and ArgoCD automation
  
• Expertise troubleshooting hybrid IAM flows
  
• Vault Fundamentals: hands-on experience deploying and managing Vault clusters in production including HA Raft storage seal/unseal (KMS/HSM) and PKI secrets engine operations
  
• PKI Secrets Engine: experience managing intermediates role definitions short-lived certificate issuance CRLs and automated revocation with ability to integrate PKI with applications and services
  
• Certificate Lifecycle Management: experience automating issuance and renewal via Vault Agent API or CI/CD pipelines including rotation policies revocation and certificate policy SLOs
  
• Integration experience with enterprise systems including Kubernetes ingress load balancers VPN S/MIME databases ACME EST and revocation protocols
  
• Experience implementing RBAC audit devices and HSM/KMS key protection
  
• Fluent English (C1 minimum)
  

Desirable

• Experience with cloud services and their configuration
  
• Knowledge of IAM solutions based on OIDC such as Keycloak for auth backends
  
• Fluent German
  
• Experience working with Scrum and agile frameworks
  

Benefits