Sr. HashiCorp Vault Specialist

About Arctiq:

Arctiq is a North American professional and managed services firm built around three Centers of Excellence: Enterprise Security, Modern Infrastructure, and Platform Engineering. We help large enterprises modernize how they deliver IT — connecting infrastructure, security, networking, applications, and cloud into a coherent operating model rather than a stack of disconnected tools.

We are a HashiCorp Hyper-Specialized partner, the highest tier in the HashiCorp Partner Network, and Canada's exclusive HashiCorp Virtual Bench partner, with over half of our delivery consultants holding HashiCorp certifications and a recognized HashiCorp Ambassador and Core Contributor on staff. This role is a staff augmentation engagement: the consultant joins a large regulated Quebec enterprise's internal platform security team, embedded on their Vault product team, while remaining part of Arctiq's HashiCorp practice and bench.

Role Summary:

The HashiCorp Vault Specialist owns the day-to-day engineering and operation of the client's Vault platform, which delivers machine-identity secrets management to internal consumer teams as a self-service product. Consumers raise a ticket in ServiceNow that triggers a GitHub Actions pipeline. The pipeline runs Terraform that configures Vault itself, including secret engines such as KV v2, dynamic-secret engines, policies, and auth methods, so most of the day-to-day engineering work happens through IaC against Vault rather than clicks in the Vault UI. A central part of the platform's direction is the shift from static, long-lived secrets to dynamic, short-lived credentials issued by Vault on demand. Migrating consumer teams from static to dynamic is not in this role's scope; that work sits with the domain teams themselves. What the Vault team delivers, however, must be ready to support that change in shape and load once those teams adopt the new services. The consultant won't work in ServiceNow much, but needs to understand where the consumer's process starts and how it hands off into the pipeline they own. The role sits on an internal platform security team alongside product and domain architects. The architects architect; the senior is expected to drive goals to completion, align with the architects and the business needs above, and translate that alignment into the work the team actually ships. The team needs someone who can be a solid agile/scrum participant, including documentation, handle incidents already triaged by tier-1 and tier-2, mentor junior engineers who will be shadowing the work so decisions need to be right the first time rather than discovered by trial-and-error, and look ahead to keep the platform stable as consumer teams scale. Scaling is not theoretical: the current setup has already hit roadblocks, and the next iteration needs to absorb more consumer teams without each new onboarding becoming a custom build.

 What You Will Do:

• Write and review the Terraform that configures Vault: secret engines (KV v2, dynamic-secret engines), policies, auth methods.
• Ship changes through the team's GitHub Actions pipeline; almost never through the Vault UI.
• Keep the self-service endpoint healthy as more consumer teams onboard, refactoring so each new team is a configuration change rather than a custom build.
• Get ahead of the load and shape changes that come with the shift from static, long-lived secrets to dynamic, short-lived credentials.
• Handle Vault incidents after tier-1 and tier-2 triage: root-cause through audit logs, Terraform state, and pipeline runs; ship the fix and the follow-up hardening.
• Participate fully in agile/scrum ceremonies and documentation.
• Mentor and pair with junior engineers in a way that can be shadowed: explain the reasoning, document the patterns, and make decisions deliberately so the next engineer can replicate the approach instead of guessing.
• Drive assigned goals to completion, aligning execution with the product and domain architects above and translating that alignment into the work the team actually ships.

Qualifications

Required:

• Production HashiCorp Vault experience at senior level: hands-on ownership of secret engines, policies, and auth methods on a platform other teams depend on.
• Fluent reading Vault audit logs and acting on them.
• Strong Terraform practitioner, configuring Vault and adjacent platforms through IaC; reviewing other engineers' Terraform with an eye for safety and drift.
• CI/CD-driven workflow experience (GitHub Actions, GitLab CI, or equivalent); can debug a pipeline failure end-to-end.
• Direct experience with the static-to-dynamic secrets shift: dynamic-secret engines (databases, cloud IAM, PKI, or similar) in production, not just in a lab.
• Incident handling on a critical platform after tier-1 and tier-2 triage, with the judgment to decide what gets fixed now, what gets hardened later, and what gets documented for the next responder.
• Mentoring junior engineers in a way that can be shadowed: explaining reasoning, documenting patterns, and making deliberate decisions others can replicate.
• Drives assigned goals to completion in agile/scrum and aligns execution with product and domain architects, without needing strategy set at the task level.
• Language profile matching the header: primary working language in Quebec French, International French, or English; complementary English at C1 (French-primary) or native/C1+ (English-primary).

Preferred:

• HashiCorp Vault Associate or Operations Professional certification, or equivalent demonstrable depth (talks, contributions, internal write-ups).
• Adjacent HashiCorp tools, in particular Boundary (access) and Consul (service identity).
• Regulated-sector experience (financial services, healthcare, government, critical infrastructure) where security controls, audit, and change management are non-classic in shape.
• Cloud IAM and secret-management at one or more major clouds (AWS, Azure, GCP).
• Prior consulting or staff-augmentation experience: joining an existing team, learning its conventions quickly, adding value without imposing.

Engagement Details:

• Contract holder: Arctiq. The consultant is on Arctiq paper, billed to the end client.
• Hours / commitment: Full-time, approximately 40 hours per week, Eastern Time business hours.
• Time-zone overlap: Eastern Time required for daily standup and incident response.
• On-site cadence: Occasional, near Montréal or Québec City. Hybrid or remote within Canada otherwise.
• Path to permanent: Contract-first through end of 2026, renewable up to end of 2028, with possible conversion to permanent by Arctiq or the client.
• Rate range: [to confirm with the client / internal]
• Security clearance or background check: [to confirm: regulated-sector clients sometimes require one]
• Equipment: Client-issued laptop, VPN, and MFA are the likely model. On the Arctiq side, web-based access may be sufficient for a staff-aug engagement; an Arctiq-issued laptop is not assumed.

Tech Stack & Tools:

• Working environment: French-speaking, with English as a second language for most colleagues. French preferred, English required.
• Secrets platform: HashiCorp Vault Enterprise. Vault Dedicated (HashiCorp's SaaS) is very likely not the deployment, but candidates should be ready to discuss either, since Vault Dedicated requires an AWS or Azure private link that the Vault team would deploy, configure, and maintain.
• IaC: Terraform, configuring Vault and adjacent platforms.
• CI/CD: GitHub Actions, running Terraform against Vault as the team's primary deployment path. The current pipeline shape works but is in scope for refactoring as the platform scales: the consultant will be expected to look at maintainability (reusable workflows, modular Terraform, predictable change-management) rather than only adding features on top of what exists.
• Consumer-side intake: ServiceNow ticket triggers the GitHub Actions pipeline. The Vault team won't work in ServiceNow much but needs to understand the handoff.
• Observability: Vault audit logs are the primary signal for incident response. Where they get shipped downstream is not part of the assumptions here.
• Cloud: Primarily Azure and AWS, with very little GCP. The screen should test general cloud-infrastructure depth (IAM, core services, architecture, cloud-native concepts) rather than fluency in any one provider. The exception is Vault deployment methods: candidates need to understand how Vault is deployed on AWS and Azure, especially the private-link work that any Dedicated-style deployment requires, since the Vault product team would own that foundation as well as the Vault platform itself.
• Version control & code review: [to confirm: GitHub Enterprise assumed given GitHub Actions]
• Other HashiCorp tools in scope or adjacent: [to confirm: Boundary, Consul, Terraform Cloud or Enterprise]

Other Details:

• 4 openings
• Contract
• Duration: Through end of 2026, renewable up to end of 2028, with possible conversion to permanent
• Hybrid or remote within Canada, near Montreal or Quebec, occasional onsite
• Immediate Start

Language requirements: Quebec French, International French, or English as primary working language. If French is primary, English at CEFR C1 (advanced) is required. If English is primary, native-level or C1+ English is required.

Must be able to read dense HashiCorp Vault, Terraform, CI/CD pipeline, and cloud-provider documentation; parse a Vault audit log or Terraform error and immediately know what's wrong; and follow GitHub issues, RFCs, and vendor blog posts written in informal, abbreviated English.

Must synthesize across multiple sources to infer the right answer when no single page gives it, a senior-level skill independent of language. Both are required.