Senior Engineer – Workload Identity Platform (SPIFFE/SPIRE) 

Senior Engineer – Workload Identity Platform (SPIFFE/SPIRE)

About Us

Working at Target means helping all families discover the joy of everyday life. Behind the scenes, our technology teams build and operate platforms that enable secure, scalable, and reliable experiences across the enterprise.

The Identity Engineering team is responsible for delivering modern identity capabilities that secure workloads, applications, and infrastructure. We are investing in cloud-native workload identity solutions that leverage SPIFFE/SPIRE and Zero Trust principles to provide secure service-to-service communication across Target's technology ecosystem.

About the Job

As a Senior Engineer on the Workload Identity Platform team, you will help design, build, and operate workload identity solutions that enable secure authentication and authorization for applications and infrastructure across cloud-native environments.

You will work closely with platform engineering, security, infrastructure, and application teams to implement and scale SPIFFE/SPIRE-based identity services, integrate with Kubernetes environments, and automate identity lifecycle management. You will contribute to architecture decisions, lead complex technical initiatives, and mentor engineers while helping establish best practices for workload identity across the enterprise.

Core Responsibilities

• Design, implement, and support workload identity solutions using SPIFFE/SPIRE.

• Deploy, configure, and operate SPIRE Server and SPIRE Agent infrastructure.

• Design and manage SPIFFE trust domains and workload identity models.

• Implement and support X.509 SVID and JWT-SVID issuance, validation, rotation, and lifecycle management.

• Develop and maintain workload registration and attestation processes.

• Design and implement integrations between SPIRE, Kubernetes, and enterprise platforms.

• Develop custom SPIRE extensions, plugins, node attestors, or workload attestors where required.

• Partner with engineering teams to onboard workloads and applications to workload identity services.

• Implement identity-aware authentication and authorization patterns for distributed systems.

• Troubleshoot complex identity, authentication, authorization, and certificate lifecycle issues.

• Contribute to platform automation, observability, reliability, and operational excellence.

• Participate in architecture reviews and technical design discussions.

• Mentor engineers and promote engineering best practices.

About You

• Four-year degree in Computer Science, Engineering, or equivalent practical experience.

• 5+ years of software engineering experience designing, developing, and supporting production systems.

• 2+ years of hands-on experience with SPIFFE/SPIRE or equivalent workload identity technologies.

• Strong software development experience in Go.

• Experience building and operating cloud-native applications and services in Kubernetes environments.

• Experience designing and troubleshooting distributed systems and microservice-based architectures.

• Experience implementing workload authentication, identity, and trust solutions for cloud-native platforms.

• Experience developing APIs, integrations, or platform services that operate at scale.

• Strong problem-solving, debugging, and root-cause analysis skills.

• Ability to work across teams and influence technical solutions through collaboration and engineering excellence.

Required Technical Skills

Workload Identity & SPIFFE/SPIRE

• Hands-on experience deploying and operating SPIRE Server and SPIRE Agents.

• Strong understanding of SPIFFE IDs, trust domains, and workload identity concepts.

• Experience implementing and managing X.509 SVIDs and JWT-SVIDs.

• Experience with workload and node attestation mechanisms.

• Familiarity with SPIRE Registration APIs and Workload APIs.

• Experience developing or extending SPIRE integrations.

Software Engineering

• Strong proficiency in Go.

• Experience building APIs, services, and distributed systems in Go.

• Experience developing integrations, plugins, or extensions for cloud-native platforms.

• Experience with Linux environments and troubleshooting.

• Experience with CI/CD automation and deployment pipelines.

Kubernetes & Cloud-Native Technologies

• Kubernetes administration and operations.

• Helm-based deployments and configuration management.

• Containerized application architectures.

• Cloud-native identity and workload security patterns.

• Experience operating services in production Kubernetes environments.

Preferred Qualifications

• Experience developing custom SPIRE node attestors or workload attestors.

• Experience extending SPIRE through custom plugins or integrations.

• Experience with Istio, Linkerd, or other service mesh technologies.

• Experience with Envoy proxy configuration and integration.

• Experience implementing mTLS for service-to-service authentication.

• Experience with Open Policy Agent (OPA).

• Experience with PKI and certificate lifecycle management.

• Experience with Java and/or Python.

• Experience operating SPIRE in large-scale Kubernetes environments.

• Experience with multi-cluster or multi-cloud workload identity architectures.

• Contributions to SPIFFE, SPIRE, Kubernetes, Envoy, or related open-source communities.

What Success Looks Like

• Successfully enables workload identity adoption across multiple engineering teams.

• Delivers scalable and reliable SPIFFE/SPIRE-based identity services.

• Reduces operational overhead through automation and self-service capabilities.

• Establishes secure authentication and authorization patterns for cloud-native workloads.

• Acts as a trusted technical contributor and mentor within the engineering organization.

• Helps evolve Target's workload identity platform to support future cloud-native and Zero Trust initiatives.

This position will operate as a Hybrid/Flex for Your Day work arrangement based on Target’s needs. A Hybrid/Flex for Your Day work arrangement means the team member’s core role will need to be performed both onsite at the Target HQ MN location the role is assigned to and virtually, depending upon what your role, team and tasks require for that day. Work duties cannot be performed outside of the country of the primary work location, unless otherwise prescribed by Target. Click here if you are curious to learn more about Minnesota.