We are seeking a Staff Software Engineer (IC6) to join our Customer Trust & Engineering organization as the technical owner of Identity & Access Management and Key Management Services. IAM and KMS are the bedrock of trust at DigitalOcean; our services sit in the critical path of every request, authorizing billions of transactions per second with single-digit millisecond latency, and securing the cryptographic material that protects every customer workload on the platform.
As an IC6, you won't just influence existing systems - you will define what our identity and key management platforms become over the next two to three years, and lead the engineers who build them. You will drive architectural strategy across multiple teams, resolve cross-cutting technical challenges, and set the standard for how DigitalOcean thinks about identity at hyperscale. If you are passionate about distributed systems, cryptographic security, and building foundational infrastructure that millions of developers depend on, this is the role for you.
What You'll Do:Own the Platform Vision: Define and drive the multi-year technical roadmap for IAM and KMS including authentication, authorization, secrets management, and cryptographic key lifecycle across DigitalOcean's global, multi-tenant cloud platform.
Architect for Hyperscale: Design high-availability, low-latency identity and key management services in Go that handle massive, sustained load across global regions with strong consistency and full auditability.
Lead Next-Gen Identity: Architect secure token exchange patterns and identity context injection for agentic AI workflows, building the IAM foundations that underpin DigitalOcean's emerging AI/ML platform offerings.
Evolve Key Management: Design and deliver a robust, multi-tenant KMS, including envelope encryption, customer-managed key patterns, and HSM-backed key material, that gives customers deep, fine-grained control over their data security posture.
Solve Complex AuthZ at Scale: Drive the evolution of our Policy Engine (Rego/OPA) to support advanced resource-level permissions, dynamic scoping, network-aware access conditions, and the complex authorization demands of agentic workflows.
Drive Cross-Team Impact: Partner with Inference, Billing, DOKS, and Platform Security to resolve architectural gaps that span multiple teams. Serve as the connective tissue between identity and the broader cloud platform and ensure security is an enabler of developer velocity, not an obstacle.
Set Engineering Standards: Establish cryptographic and identity engineering standards adopted org-wide. Lead design reviews for changes with cross-cutting platform risk and author RFCs that shape DigitalOcean's technical direction.
Mentor & Grow the Organization: Mentor and develop senior and mid-level engineers across IAM and adjacent teams. Conduct deep code reviews, model architectural thinking, and build a culture of security-first engineering.
What You'll Add to DigitalOcean:- Experience: 10+ years of software engineering experience, with at least 4+ years focused on Identity (AuthN/AuthZ), Key Management, or high-scale distributed systems in a cloud or IaaS environment
- Language Expert: Expert-level proficiency in Go and deep experience with gRPC microservices architecture
- Identity Specialist: Deep knowledge of identity protocols (OIDC, OAuth2, SAML, SCIM) and access control models (RBAC, ABAC, PBAC), with a track record of delivering these at cloud scale
- Cryptography & KMS: Hands-on experience designing or operating key management infrastructure, including envelope encryption, HSM integration, and BYOK/CMEK patterns
- Distributed Systems: Proven ability to build systems that handle consensus, replication, and partitioning at scale with strong reliability and observability
- Cloud Native: Deep experience with Kubernetes, SQL (MySQL), and Infrastructure as Code (Terraform)
- Technical Leadership: Demonstrated track record of driving ambiguous, multi-team platform initiatives from problem definition through to shipped, production capability
- Communication: Ability to write crisp RFCs, present architectural strategy to senior leadership, and align diverse teams around a shared technical direction
Nice to Have- Experience with SPIFFE/SPIRE or workload identity federation
- Familiarity with secrets management platforms (e.g., HashiCorp Vault)
- Contributions to open-source identity or cryptography projects
Compensation Range: *This is a remote role
#LI-Remote
Application Limit: You may apply to a maximum of 3 positions within any 180-day period. This policy promotes better role-candidate matching and encourages thoughtful applications where your qualifications align most strongly.
