PAM Platform
Privileged Access Management · Zero Trust Architecture
A production-grade PAM platform built from scratch as a solo engineering project — deepening architecture skills beyond day-to-day operations. Designed for enterprise-scale deployment with zero-trust principles throughout.
// principles
Design Philosophy
Zero Trust
Never trust, always verify — every request authenticated and authorised at the gateway and service level.
Policy as Code
All access decisions expressed as Rego policies, version-controlled, tested in CI, and deployed automatically.
Dynamic Secrets
No long-lived credentials. Vault issues short-lived, auto-rotated secrets per workload identity.
Least Privilege
Kubernetes RBAC, Vault policies, and OPA rules all scoped to minimum required permissions.
// stack
Technology Stack
Central IdP handling authentication, SSO, and OIDC/SAML federation. Custom realms per environment with fine-grained client policies.
Dynamic secrets engine for database credentials, PKI certificates, and SSH OTP. Vault Agent sidecar injection for Kubernetes workloads.
Centralised policy-as-code layer enforcing RBAC and ABAC decisions across services. Rego policies version-controlled in Git.
Ingress layer enforcing JWT validation, rate limiting, and OPA policy checks before requests reach upstream services.
Full workload orchestration with namespace isolation, network policies, and Vault Agent sidecar injection for zero-trust secret delivery.
// roadmap
Build Phases
Identity Foundation
Complete- Keycloak deployed on Kubernetes with HA configuration
- Custom realm with client policies and token lifetimes
- OIDC discovery endpoint and JWKS rotation
- Admin CLI automation via shell scripts
Secrets Infrastructure
Complete- Vault HA cluster with Raft storage backend
- Kubernetes auth method for workload identity
- Dynamic database secrets engine (PostgreSQL)
- PKI secrets engine for internal TLS certificates
Policy as Code
In Progress- OPA deployed as admission controller
- Rego policies for RBAC enforcement
- Policy bundle CI/CD pipeline (Git → OPA)
- Audit logging for policy decisions
API Gateway Layer
In Progress- Kong Gateway with JWT plugin (Keycloak-issued tokens)
- OPA plugin for request-level policy enforcement
- Rate limiting and IP allowlist policies
- mTLS between gateway and upstream services
Observability & Hardening
Planned- Centralised audit log aggregation (Loki + Grafana)
- Vault audit device → SIEM pipeline
- Keycloak event listener → audit stream
- Penetration testing and threat modelling
// interested?
Want to discuss the architecture?
I'm happy to walk through design decisions, trade-offs, and lessons learned. Reach out if you're building something similar or want to collaborate.