OpenBao / Vault Operations IAM Engineer (m/w/d) - Remote & Berlin/Frankfurt

Für unseren Kunden in Berlin suchen wir im Rahmen eines langfristigen Greenfield Projektes erfahrene Unterstützung als OpenBao / Vault Operations IAM Engineer (m/w/d). Die Tätigkeit erfolgt Remote und in der Regel eine Woche für ca.1-3 Tage nach Absprache pro Monat vor Ort in Berlin oder Frankfurt . Hintergrund ist ein großes Plattformprojekt im Energiesektor.

General Description
The IAM Service is responsible for the conception and designing of identity and access management (IAM) services for the platform. The primary goals are providing a scalable, secure, and federated access to applications, ensuring seamless integration across the hybrid cloud environment.

Objective: OpenBao / Vault Operations (Deep).
Tasks:
• Management of the cluster lifecycle, including initialisation, unseal operations, upgrade, migration process
• Overseeing raft consensus functions such as maintaining quorum, conducting leader election, ensuring anti-affinity
placement, and handling network partition scenarios.
• Implementation of procedures for creating and restoring system snapshots, including managing encrypted offsite
backups for disaster recovery.
• Consulting on the optimize system performance through fine-tuning connection limits, storage input/output
operations, and minimizing audit logging overhead.
• Coordination of the creation of namespaces, attachment of security policies, and configuration of authentication
mounts.
• Administration of audit device management and integrate log pipelines for effective monitoring and compliance.
• Investigation and resolving operational issues including seal/unseal failures, instability in Raft leadership, and
problems like token or lease storms.

Objective: Infrastructure as Code.
Tasks:
• Utilization of Terraform or OpenTofu to manage resources in Vault or OpenBao environments.
• Deploying of applications to Kubernetes clusters using Helm, as appropriate.
• Implementation of GitOps practices for configuration management by leveraging ArgoCD or Flux.


Objective: Kubernetes Integration
Tasks:
• Setting up and overseeing of the lifecycle of authentication methods within Kubernetes environments.
• Conceptualization of design and execute secret injection solutions, leveraging tools like Vault Agent, CSI driver, or
External Secrets Operator.
• Ensuring compatibility and alignment with service mesh technologies, focusing on mutual TLS (mTLS) and SPIFFE
identity integration.

Objective: Observability.
Tasks:
• Gathering of Prometheus metrics from OpenBao for monitoring purposes.
• Conceptualization of design and maintain of Grafana dashboards to visualize and track operational Service Level
Objectives (SLOs).
• Establishing and management of audit log pipelines, including log collection, indexing, and retention strategies.

Objective: PKI Baseline (Cross-Coverage Requirement).
Tasks:
• Comprehend the core principles of certificate lifecycle management.
• Distinguish between PKI OpenBao clusters and Secrets OpenBao clusters, and understand the rationale for
maintaining their separation.

Objective: Monitoring & Troubleshooting.
Tasks:
• Ensuring deployments meet reliability, security, and compliance standards by performing both functional tests for
PKI and Secrets, as well as integration tests covering IAM federation, CI/CD pipelines, and high availability/disaster
recovery.
• Monitor Vault telemetry, logs, and SIEM outputs, and troubleshoot failures involving Vault, PKI, and Keycloak.
• Automate and validate repeatable HA/DR failover testing processes.
• Extend testing and validation to include multi-tenant setups and Registration Authority (RA) scenarios.

Must-have experience
• Experience with OpenBao/Hashicorp Vault: cluster lifecycle, Raft consensus, snapshot/restore, namespace
operations, audit device management
• Expertise with Infrastructure as Code: Terraform/OpenTofu, Helm, ArgoCD/Flux
• Experience with Policy-as-code: HCL policy authoring, testing, CI validation
• Expertise Kubernetes auth method configuration and secret injection patterns (Agent, CSI, ESO)
• Strongly skilled with Observability: Prometheus, Grafana, audit log pipelines
• Familiar with Tier-1 execution narrative and implement it without line-by-line translation
• Experienced with producing clean Tier-3 runbooks that another engineer could follow independently
• PKI fundamentals: certificate lifecycle, why PKI and Secrets clusters must remain separate.

Must-have language skills:
• Language: Fluent English – C1

Preferred experience
• Experience with reading a Tier-1 execution narrative and implement it without requiring the Programme Architect to
translate every requirement into CLI commands cloud services and their configuration
• Knowledge with producing clean Tier-3 runbooks that another engineer could follow
• Fluent in German
• Working with Scrum and general experience in agile frameworks
• Experience with working in a governance-constrained environment where "just do it" is not acceptable