IAM Tier 3 Operations Engineer (m/w/d) KeyCloak & Hashicorp Vault Integration Remote Berlin FFM

Für unseren Kunden in Berlin suchen wir im Rahmen eines langfristigen Greenfield Projektes erfahrene Unterstützung als IAM Engineer (m/w/d) KeyCloak & Hashicorp Vault Integration. Die Tätigkeit erfolgt Remote und in der Regel eine Woche für 3-4 Tage pro Monat vor Ort in Berlin oder Frankfurt . Je nach Projektphase wird eine Bereitschaft vor Ort von bis zu 50% vorausgesetzt. Hintergrund ist ein großes Plattformprojekt im Energiesektor.



Project:

The team is building an internal platform for software product developers to accelerate the development and delivery of software products to tackle the massive challenges facing the energy sector. The Platform is a service oriented, cloud-native platform that is being built to provide application teams with self-service capabilities to develop, run and operate their software products. Platform provides services for application infrastructure, data, service lifecycle management, application build and delivery as well as services to operate their software products. The Platform is deployed as a hybrid cloud, encompassing both private cloud and select public clouds.



The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment



Objective 1: Deploy and configure Vault services in enterprise environments:

Installation and configuration of HashiCorp Vault Enterprise.

Setting up of namespaces, secret engines, authentication backends, entities, and AppRoles.

Integration with Kubernetes clusters using VSO / ESO.

Documentation of deployed setups for reuse in further environments.



Objective 2: Implement secure lifecycle handling of secrets:

Configuration of secret rotation, renewal, and expiration.

Integration of Hardware Security Module (HSM) for key storage.

Setting up of PKI workflows for certificate generation and renewal.

Verification of compliance with project security requirements.



Objective 3: Automate Vault provisioning and management:

Creation of Helm charts, Terraform modules, and GitOps workflows.

Automation of application onboarding to Vault.

Implementation of CI/CD integrations for secret injection during deployments.

Documentation of automation steps for reproducibility.



Objective 4: Ensure stable operations and technical alignment:

Monitor and tune of Vault clusters for performance and availability.

Execution of upgrades and patching activities.

Co-ordinate integration points between with IAM and platform.

Record operational changes in technical documentation.



Objective 5: Knowledge transfer and continuous improvement:

Prepare runbooks and operational guidelines.

Share of best practices in internal sessions or documentation.

Deploy new Vault features and community practices.

Prototype the improvements for secrets management workflows.



Must-have experience

Experience with Vault Enterprise administration, configuring Vault namespaces, ACLs, identity groups, DR, auto-unseal:

Secrets management integrations (VSO/ESO, CI/CD).

OIDC and RBAC/ABAC patterns.

HA/DR and secure operational runbooks.

Experience with the integration of Keycloak OIDC/JWT and Terraform policy-as-code.

Experienced with onboarding workflows (agents, sidecars, templates) and managing secret rotation engines and expiry alerts.

Experience with implementation of mTLS, IP allow-lists, JIT access, SIEM integration along with delivering tamper-evident audit logging.

Experience with the broader Vault architecture and its best-practices.

Experience with Hardware Security Module (HSM) which needs to be integrated with infrastructure level with a basic knowledge of Public Key Infrastructure (PKI).

Experience with short-lived certs via Vault PKI (not ceremonies).

Fluent English (C1).



Preferred experience

Experience with cloud services and their configuration.

Knowledge about IAM solutions based on OpenID Connect (OIDC), such as Keycloak, for auth backends.

Working with Scrum and general experience in agile frameworks.

Fluent in German.



Start: Ende Oktober

Ende 31.12.2025 + Option langfristig

Ort: Remote + Frankfurt oder Berlin nach Absprache



Wir freuen uns über Ihre Bewerbung unter https://www.percision.de/projekt/8938/ inklusive Angabe des Stundensatzes und Ihrer Verfügbarkeit.



Sebastian Leja

Teamleiter Recruiting

Fon +49 221 27850 -322

Mail Sebastian.Leja@percision.de

percision services GmbH (adesso group)

Agrippinawerft 26 (2.Etage), 50678 Köln