Senior Software Engineer, Identity

About Tesla Cloud Platform

Tesla Cloud Platform (TCP) is Tesla's internal cloud that powers compute, storage, and networking at global scale across multiple datacenters. As a Senior Software Engineer focused on Identity, you will own and evolve the identity and access management layer that secures every service and resource on the platform. This is not a consumer identity role - this is infrastructure-grade IAM for a mission-critical cloud platform. You will design and build the systems that control who can access what across Tesla's entire on-premise cloud, from tenant isolation to fine-grained resource permissions.

This position offers a unique opportunity to shape the security and access foundation of Tesla's private cloud. You will collaborate closely with compute, storage, Kubernetes, DNS, and bare metal teams to ensure identity and authorization are embedded into every layer of the platform.

What You'll Do

• Design and build IAM policies, role-based access control (RBAC), and permission models that govern access across all TCP managed services.
• Implement fine-grained, resource-level authorization across compute, storage, Kubernetes, DNS, KMS, and bare metal services.
• Build and enforce tenant isolation boundaries, ensuring strict separation between organizational units and projects.
• Own TCP's Single Sign-On (SSO) integration, supporting SAML, OIDC, and enterprise identity providers.
• Build and maintain authentication flows across the TCP portal, API gateway, and service-to-service communication.
• Build and evolve the group management system - creation, membership, nesting, and synchronization with enterprise directory services.
• Drive the evolution toward zero trust architecture within TCP, including service-to-service authentication (mTLS, JWT, API keys).
• Integrate with HashiCorp Vault for secrets management, certificate issuance, and dynamic credentials.
• Build audit logging and access trail capabilities for compliance and security review.
• Partner with networking, datacenter operations, compliance, and security teams to align TCP's identity model with Tesla's broader security posture.

What You'll Bring

• 3+ years of professional experience in software development with Go, Python, Java, or similar backend languages
• Experience designing and building IAM, RBAC, or authorization systems for multi-tenant platforms
• Strong understanding of authentication protocols: OAuth 2.0, OIDC, SAML, JWT
• Experience with directory services (Active Directory, LDAP) and identity federation
• Solid understanding of cryptographic concepts - TLS/mTLS, certificate management, token signing
• Experience with relational databases (PostgreSQL) and API design (REST, gRPC)
• Understanding of distributed systems and how authorization decisions propagate across service boundaries
• Familiarity with HashiCorp Vault or similar secrets management platforms is a plus
• Frontend experience (React, Next.js) for building identity management interfaces is a plus

Candidates are expected to uphold and actively promote sustainability principles in their daily work, operating in line with Tesla Global Environmental, Health, Safety & Security (EHS&S) Policy and EMAS requirements, fostering a culture of continuous environmental improvement.

What we offer

You will be working in our state-of-the-art Gigafactory, where you’ll solve the world's most interesting problems with the best and brightest people who share a passion to change the world. Tesla’s compensation package includes competitive salary and Tesla shares or bonuses. Typical benefits that are offered are a pension program, 30 vacation days, flexible work arrangements, corporate benefits, employee insurances, relocation, and commuting support.

Tesla is an Equal Opportunity / Affirmative Action employer committed to diversity in the workplace. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, age, national origin, disability, protected veteran status, gender identity or any other factor protected by applicable federal, state or local laws.

Tesla is also committed to working with and providing reasonable accommodations to individuals with disabilities. Please let your recruiter know if you need an accommodation at any point during the interview process.