Principal Backend Engineer - Identity & Security Infrastructure

Overview

Working at Atlassian

Atlassians can choose where they work – whether in an office, from home, or a combination of the two. That way, Atlassians have more control over supporting their family, personal goals, and other priorities. We can hire people in any country where we have a legal entity.

Responsibilities

About the Role

We are looking for a Principal Engineer to lead the architecture, evolution, and operational excellence of our identity and security infrastructure platforms. These systems underpin service-to-service authentication, staff-to-service authentication, authorization policy enforcement, and cryptographic key management across thousands of microservices at scale.

You will own the technical vision for how our cloud platform establishes and verifies trust — from ingress/egress authentication at the service mesh layer to cryptographic keypair lifecycle management. This is a high-leverage, cross-organizational role where your decisions directly impact the security posture and developer experience of the entire engineering organisation.

What You'll Do

• Architect and evolve platform-wide authentication and authorization systems handling millions of requests per second across a global microservices fleet.

• Design and own ingress and egress authentication mechanisms for microservices, including proxy-based sidecars, service mesh integration, and token validation pipelines.

• Lead the technical strategy for service-to-service authentication using JWT-based protocols — including token issuance, audience-scoped validation, claims design, and revocation strategies.

• Own cryptographic key infrastructure — key generation, rotation, auto-rotation, revocation, and secure distribution of asymmetric keypairs (RSA/EC) at scale via CDN-backed repositories.

• Design and scale the Policy Decision Point (PDP) for centralized authorization (AuthZ), enabling fine-grained, policy-as-code access control across all services.

• Define trust models for staff-to-service authentication — bridging human identity providers (SSO/OIDC/SAML/Kerberos) into machine-trust contexts for developer and operator access.

• Architect build token and workload identity systems — enabling CI/CD pipelines and ephemeral workloads to authenticate securely without long-lived credentials.

• Drive reliability and operational excellence for Tier-0 security infrastructure — SLO definition, incident response, capacity planning, and chaos engineering.

• Influence cross-org technical direction through RFCs, architecture reviews, and engineering-wide standards for authentication, authorization, and secrets management.

• Mentor and grow senior engineers; raise the security engineering bar across multiple teams.

Essential Skills & Experience

Core Requirements

• 12+ years of software engineering experience, with 5+ years designing and operating large-scale identity, authentication, or security infrastructure systems.

• Deep expertise in service-to-service authentication — mTLS, signed JWT tokens (RS256/ES256), certificate-based identity, SPIFFE/SPIRE, or equivalent trust frameworks.

• Hands-on experience with JWT ecosystems — token issuance services, audience-bound validation, claims schema design, key rotation strategies, and token revocation/blacklisting.

• Strong understanding of ingress/egress authentication patterns — API gateways, Envoy/proxy-based auth plugins, sidecar architectures, and service mesh trust propagation.

• Experience building or operating a Policy Decision Point (PDP) for authorization (AuthZ) — policy-as-code engines (OPA/Rego, Cedar, or equivalent), policy distribution, and decision logging for audit/compliance.

• Expertise in cryptographic key management — asymmetric keypair generation, automated rotation, secure storage, and large-scale public key distribution (CDN/S3-backed or equivalent).

• Experience with build tokens and workload identity — authenticating CI/CD pipelines, ephemeral compute, and automated systems without static secrets.

• Staff-to-service authentication design — integrating enterprise identity providers (Okta, SAML 2.0, OIDC, Kerberos) with service-layer trust to enable secure developer/operator access.

• Proficiency in Java/Kotlin (primary) and Go (secondary); comfortable working across polyglot service ecosystems.

• Production Kubernetes experience — pod identity, network policies, admission controllers, and workload security in multi-tenant clusters.

• Cloud IAM expertise (AWS IAM / GCP IAM) — role assumption, workload identity federation, and least-privilege access patterns.

• Track record of operating Tier-0/Tier-1 systems — on-call ownership, SLO-driven reliability, incident management, and post-incident reviews.

Architecture & Leadership

• Proven ability to drive cross-organisational technical strategy — authoring RFCs, leading architecture reviews, and building consensus across 50+ engineering teams.

• Experience migrating or evolving authentication/authorization systems with zero downtime across large service fleets (1000+ services).

• Strong threat modelling skills — ability to reason about trust boundaries, token replay, privilege escalation, and supply-chain attacks.

• Demonstrated mentorship and technical leadership — growing senior engineers, establishing engineering standards, and raising the security bar org-wide.

Nice-to-Have

• Experience with zero-trust network architectures and identity-aware proxies.

• Familiarity with policy-as-code frameworks (OPA/Rego, Cedar, Styra) for fine-grained authorization at scale.

• Background in compliance-driven environments (SOX, SOC2, FedRAMP, ISO 27001) — designing controls that satisfy audit requirements without sacrificing velocity.

• Experience with secrets management platforms (Vault, AWS Secrets Manager, GCP Secret Manager) and secret injection patterns.

• Contributions to open-source security/identity projects or relevant standards bodies (IETF, OpenID Foundation).

• Experience with large-scale migration programs — deprecating legacy auth systems, dual-running, and progressive rollout across thousands of services.

• Familiarity with observability for security systems — distributed tracing of auth flows, anomaly detection on token usage, and decision-log analytics.

Tech Stack You'll Work With

• Languages: Java, Kotlin, Go

• Infrastructure: Kubernetes, Docker, AWS, GCP

• Auth & Identity: JWT (RS256/ES256), mTLS, SPIFFE/SPIRE, OAuth 2.0, OIDC, SAML 2.0, Kerberos

• AuthZ: OPA/Rego, policy-as-code engines, centralized PDP

• Key Management: Asymmetric cryptography, HSM integration, CDN-backed key distribution

• Proxies & Mesh: Envoy, service mesh, sidecar architectures

• Observability: Splunk, SignalFx, distributed tracing

• CI/CD: Build tokens, workload identity, automated pipelines

Compensation

At Atlassian, we strive to design equitable, explainable, and competitive compensation programs. We follow consistent hiring practices and account for each candidate's skills, knowledge, and experience when setting base pay within the range.

This role may also be eligible for benefits, bonuses, commissions, and equity.

Qualifications

Benefits & Perks

Atlassian offers a wide range of perks and benefits designed to support you, your family and to help you engage with your local community. Our offerings include health and wellbeing resources, paid volunteer days, and so much more. To learn more, visit go.atlassian.com/perksandbenefits.

About Atlassian

At Atlassian, we're motivated by a common goal: to unleash the potential of every team. Our software products help teams all over the planet and our solutions are designed for all types of work. Team collaboration through our tools makes what may be impossible alone, possible together.

We believe that the unique contributions of all Atlassians create our success. To ensure that our products and culture continue to incorporate everyone's perspectives and experience, we never discriminate based on race, religion, national origin, gender identity or expression, sexual orientation, age, or marital, veteran, or disability status. All your information will be kept confidential according to EEO guidelines.

To provide you the best experience, we can support with accommodations or adjustments at any stage of the recruitment process. Simply inform our Recruitment team during your conversation with them.

To learn more about our culture and hiring process, visit go.atlassian.com/crh.