Principal Architect

About The Position

Requirements

• 10+ years of software engineering experience, with at least 4+ years focused on Identity (AuthN/AuthZ), Key Management, or high-scale distributed systems in a cloud or IaaS environment
• Expert-level proficiency in Go and deep experience with gRPC microservices architecture
• Deep knowledge of identity protocols (OIDC, OAuth2, SAML, SCIM) and access control models (RBAC, ABAC, PBAC), with a track record of delivering these at cloud scale
• Hands-on experience designing or operating key management infrastructure, including envelope encryption, HSM integration, and BYOK/CMEK patterns
• Proven ability to build systems that handle consensus, replication, and partitioning at scale with strong reliability and observability
• Deep experience with Kubernetes, SQL (MySQL), and Infrastructure as Code (Terraform)
• Demonstrated track record of driving ambiguous, multi-team platform initiatives from problem definition through to shipped, production capability
• Ability to write crisp RFCs, present architectural strategy to senior leadership, and align diverse teams around a shared technical direction

Nice To Haves

• Experience with SPIFFE/SPIRE or workload identity federation
• Familiarity with secrets management platforms (e.g., HashiCorp Vault)
• Contributions to open-source identity or cryptography projects

Responsibilities

• Define and drive the multi-year technical roadmap for IAM and KMS including authentication, authorization, secrets management, and cryptographic key lifecycle across DigitalOcean's global, multi-tenant cloud platform.
• Design high-availability, low-latency identity and key management services in Go that handle massive, sustained load across global regions with strong consistency and full auditability.
• Architect secure token exchange patterns and identity context injection for agentic AI workflows, building the IAM foundations that underpin DigitalOcean's emerging AI/ML platform offerings.
• Design and deliver a robust, multi-tenant KMS, including envelope encryption, customer-managed key patterns, and HSM-backed key material, that gives customers deep, fine-grained control over their data security posture.
• Drive the evolution of our Policy Engine (Rego/OPA) to support advanced resource-level permissions, dynamic scoping, network-aware access conditions, and the complex authorization demands of agentic workflows.
• Partner with Inference, Billing, DOKS, and Platform Security to resolve architectural gaps that span multiple teams.
• Serve as the connective tissue between identity and the broader cloud platform and ensure security is an enabler of developer velocity, not an obstacle.
• Establish cryptographic and identity engineering standards adopted org-wide.
• Lead design reviews for changes with cross-cutting platform risk and author RFCs that shape DigitalOcean's technical direction.
• Mentor and develop senior and mid-level engineers across IAM and adjacent teams.
• Conduct deep code reviews, model architectural thinking, and build a culture of security-first engineering.

Benefits

• Competitive array of benefits to support you from our Employee Assistance Program to Local Employee Meetups to flexible time off policy
• Reimbursement for relevant conferences, training, and education
• Access to LinkedIn Learning's 10,000+ courses
• Bonus in addition to base salary
• Equity compensation to eligible employees, including equity grants upon hire and the option to participate in our Employee Stock Purchase Program