IAM KeyCloak Secrets PKI Engineer (PID0647)
This is a remote position.
IAM KeyCloak Secrets PKI Engineer (PID0647) IAM | Contract / Freelance
Contract / Freelance
Full-time
Remote with travel readiness required (Germany)
Start: 01.07.2026
About the role
We are seeking a Mid-level IAM, Secrets and PKI Engineer to join the Identity and Access Management team of a large internal platform programme in the energy sector. You will design, implement and operate Keycloak and HashiCorp Vault across a hybrid cloud environment, delivering scalable, secure and federated access management alongside a robust PKI and secrets management capability.
What you'll be doing
Implementing RBAC/ABAC policies and multi-realm setups in Keycloak, mapping Kerberos/IPA identities and groups into realms, roles and clients
Configuring SSO flows, MFA and identity federation across hybrid cloud and on-premises workloads
Deploying Keycloak on VMs, Docker and Kubernetes (OpenShift and bare-metal), configuring OIDC, OAuth2, SAML and Kerberos/LDAP federation
Deploying Keycloak on GKE with Helm/Operators, integrating with Google Identity and mapping Keycloak roles to GCP IAM roles
Configuring HashiCorp Vault to secure Keycloak operational secrets, implementing dynamic secrets for DB backends and integrating Vault Agent/Sidecar injector for secret injection into Keycloak pods
Deploying and operating Vault in production on Linux-based systems, including HA, Raft storage, seal/unseal mechanisms and HSM/KMS integration
Managing Vault PKI operations including intermediates, issuing CAs, short-lived certificate issuance, CRL/OCSP integration and automated revocation
Implementing ACME v2, EST for devices, AIA/CRL/OCSP publishing and RFC 5280 profiles
Automating Keycloak and Vault deployment and configuration using Terraform, Helm and Ansible
Integrating certificate and secret distribution into CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI)
Monitoring both platforms with Prometheus and Grafana and managing incident response for expired certificates, Vault unseal failures and IPA migration issues
Requirements
What you'll need
Strong knowledge of authentication protocols including OIDC, OAuth2, SAML, Kerberos and LDAP
Expertise with Keycloak deployment across VM, Kubernetes and optionally GCP
Experience integrating Vault for secrets management
Experience with Terraform, Helm and ArgoCD automation
Expertise troubleshooting hybrid IAM flows
Vault Fundamentals: hands-on experience deploying and managing Vault clusters in production including HA, Raft storage, seal/unseal (KMS/HSM) and PKI secrets engine operations
PKI Secrets Engine: experience managing intermediates, role definitions, short-lived certificate issuance, CRLs and automated revocation, with ability to integrate PKI with applications and services
Certificate Lifecycle Management: experience automating issuance and renewal via Vault Agent, API or CI/CD pipelines, including rotation policies, revocation and certificate policy SLOs
Integration experience with enterprise systems including Kubernetes ingress, load balancers, VPN, S/MIME, databases, ACME, EST and revocation protocols
Experience implementing RBAC, audit devices and HSM/KMS key protection
Fluent English (C1 minimum)
Desirable
Experience with cloud services and their configuration
Knowledge of IAM solutions based on OIDC such as Keycloak for auth backends
Fluent German
Experience working with Scrum and agile frameworks
Benefits
As a freelancer / contractor with us, you will enjoy flexible working hours and the freedom to choose your own projects. Our platform gives you access to exciting projects in various industries and supports you in advancing your career. You'll benefit from competitive pay and a dedicated team to help you with any questions you may have. Work independently and utilise our strong network to achieve your professional goals.