pulumi-vault 6.4.0a1731738920__py3-none-any.whl → 6.4.0a1732100598__py3-none-any.whl

pulumi_vault/database/outputs.py

@@ -68,6 +68,8 @@ class SecretBackendConnectionCassandra(dict):
             suggest = "pem_json"
         elif key == "protocolVersion":
             suggest = "protocol_version"
+        elif key == "skipVerification":
+            suggest = "skip_verification"
 
         if suggest:
             pulumi.log.warn(f"Key '{key}' not found in SecretBackendConnectionCassandra. Access the value via the '{suggest}' property getter instead.")
@@ -89,6 +91,7 @@ class SecretBackendConnectionCassandra(dict):
                  pem_json: Optional[str] = None,
                  port: Optional[int] = None,
                  protocol_version: Optional[int] = None,
+                 skip_verification: Optional[bool] = None,
                  tls: Optional[bool] = None,
                  username: Optional[str] = None):
         """
@@ -100,6 +103,7 @@ class SecretBackendConnectionCassandra(dict):
         :param str pem_json: Specifies JSON containing a certificate and private key; a certificate, private key, and issuing CA certificate; or just a CA certificate.
         :param int port: The transport port to use to connect to Cassandra.
         :param int protocol_version: The CQL protocol version to use.
+        :param bool skip_verification: Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles.
         :param bool tls: Whether to use TLS when connecting to Cassandra.
         :param str username: The username to use when authenticating with Cassandra.
         """
@@ -119,6 +123,8 @@ class SecretBackendConnectionCassandra(dict):
             pulumi.set(__self__, "port", port)
         if protocol_version is not None:
             pulumi.set(__self__, "protocol_version", protocol_version)
+        if skip_verification is not None:
+            pulumi.set(__self__, "skip_verification", skip_verification)
         if tls is not None:
             pulumi.set(__self__, "tls", tls)
         if username is not None:
@@ -188,6 +194,14 @@ class SecretBackendConnectionCassandra(dict):
         """
         return pulumi.get(self, "protocol_version")
 
+    @property
+    @pulumi.getter(name="skipVerification")
+    def skip_verification(self) -> Optional[bool]:
+        """
+        Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles.
+        """
+        return pulumi.get(self, "skip_verification")
+
     @property
     @pulumi.getter
     def tls(self) -> Optional[bool]:
@@ -1914,8 +1928,16 @@ class SecretBackendConnectionPostgresql(dict):
             suggest = "max_idle_connections"
         elif key == "maxOpenConnections":
             suggest = "max_open_connections"
+        elif key == "privateKey":
+            suggest = "private_key"
+        elif key == "selfManaged":
+            suggest = "self_managed"
         elif key == "serviceAccountJson":
             suggest = "service_account_json"
+        elif key == "tlsCa":
+            suggest = "tls_ca"
+        elif key == "tlsCertificate":
+            suggest = "tls_certificate"
         elif key == "usernameTemplate":
             suggest = "username_template"
 
@@ -1938,7 +1960,11 @@ class SecretBackendConnectionPostgresql(dict):
                  max_idle_connections: Optional[int] = None,
                  max_open_connections: Optional[int] = None,
                  password: Optional[str] = None,
+                 private_key: Optional[str] = None,
+                 self_managed: Optional[bool] = None,
                  service_account_json: Optional[str] = None,
+                 tls_ca: Optional[str] = None,
+                 tls_certificate: Optional[str] = None,
                  username: Optional[str] = None,
                  username_template: Optional[str] = None):
         """
@@ -1949,7 +1975,11 @@ class SecretBackendConnectionPostgresql(dict):
         :param int max_idle_connections: Maximum number of idle connections to the database.
         :param int max_open_connections: Maximum number of open connections to the database.
         :param str password: The root credential password used in the connection URL
+        :param str private_key: The secret key used for the x509 client certificate. Must be PEM encoded.
+        :param bool self_managed: If set, allows onboarding static roles with a rootless connection configuration.
         :param str service_account_json: A JSON encoded credential for use with IAM authorization
+        :param str tls_ca: The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded.
+        :param str tls_certificate: The x509 client certificate for connecting to the database. Must be PEM encoded.
         :param str username: The root credential username used in the connection URL
         :param str username_template: Username generation template.
         """
@@ -1967,8 +1997,16 @@ class SecretBackendConnectionPostgresql(dict):
             pulumi.set(__self__, "max_open_connections", max_open_connections)
         if password is not None:
             pulumi.set(__self__, "password", password)
+        if private_key is not None:
+            pulumi.set(__self__, "private_key", private_key)
+        if self_managed is not None:
+            pulumi.set(__self__, "self_managed", self_managed)
         if service_account_json is not None:
             pulumi.set(__self__, "service_account_json", service_account_json)
+        if tls_ca is not None:
+            pulumi.set(__self__, "tls_ca", tls_ca)
+        if tls_certificate is not None:
+            pulumi.set(__self__, "tls_certificate", tls_certificate)
         if username is not None:
             pulumi.set(__self__, "username", username)
         if username_template is not None:
@@ -2030,6 +2068,22 @@ class SecretBackendConnectionPostgresql(dict):
         """
         return pulumi.get(self, "password")
 
+    @property
+    @pulumi.getter(name="privateKey")
+    def private_key(self) -> Optional[str]:
+        """
+        The secret key used for the x509 client certificate. Must be PEM encoded.
+        """
+        return pulumi.get(self, "private_key")
+
+    @property
+    @pulumi.getter(name="selfManaged")
+    def self_managed(self) -> Optional[bool]:
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
+        return pulumi.get(self, "self_managed")
+
     @property
     @pulumi.getter(name="serviceAccountJson")
     def service_account_json(self) -> Optional[str]:
@@ -2038,6 +2092,22 @@ class SecretBackendConnectionPostgresql(dict):
         """
         return pulumi.get(self, "service_account_json")
 
+    @property
+    @pulumi.getter(name="tlsCa")
+    def tls_ca(self) -> Optional[str]:
+        """
+        The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded.
+        """
+        return pulumi.get(self, "tls_ca")
+
+    @property
+    @pulumi.getter(name="tlsCertificate")
+    def tls_certificate(self) -> Optional[str]:
+        """
+        The x509 client certificate for connecting to the database. Must be PEM encoded.
+        """
+        return pulumi.get(self, "tls_certificate")
+
     @property
     @pulumi.getter
     def username(self) -> Optional[str]:
@@ -2483,6 +2553,8 @@ class SecretsMountCassandra(dict):
             suggest = "protocol_version"
         elif key == "rootRotationStatements":
             suggest = "root_rotation_statements"
+        elif key == "skipVerification":
+            suggest = "skip_verification"
         elif key == "verifyConnection":
             suggest = "verify_connection"
 
@@ -2511,6 +2583,7 @@ class SecretsMountCassandra(dict):
                  port: Optional[int] = None,
                  protocol_version: Optional[int] = None,
                  root_rotation_statements: Optional[Sequence[str]] = None,
+                 skip_verification: Optional[bool] = None,
                  tls: Optional[bool] = None,
                  username: Optional[str] = None,
                  verify_connection: Optional[bool] = None):
@@ -2531,6 +2604,7 @@ class SecretsMountCassandra(dict):
         :param int port: The transport port to use to connect to Cassandra.
         :param int protocol_version: The CQL protocol version to use.
         :param Sequence[str] root_rotation_statements: A list of database statements to be executed to rotate the root user's credentials.
+        :param bool skip_verification: Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles.
         :param bool tls: Whether to use TLS when connecting to Cassandra.
         :param str username: The username to use when authenticating with Cassandra.
         :param bool verify_connection: Whether the connection should be verified on
@@ -2561,6 +2635,8 @@ class SecretsMountCassandra(dict):
             pulumi.set(__self__, "protocol_version", protocol_version)
         if root_rotation_statements is not None:
             pulumi.set(__self__, "root_rotation_statements", root_rotation_statements)
+        if skip_verification is not None:
+            pulumi.set(__self__, "skip_verification", skip_verification)
         if tls is not None:
             pulumi.set(__self__, "tls", tls)
         if username is not None:
@@ -2675,6 +2751,14 @@ class SecretsMountCassandra(dict):
         """
         return pulumi.get(self, "root_rotation_statements")
 
+    @property
+    @pulumi.getter(name="skipVerification")
+    def skip_verification(self) -> Optional[bool]:
+        """
+        Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles.
+        """
+        return pulumi.get(self, "skip_verification")
+
     @property
     @pulumi.getter
     def tls(self) -> Optional[bool]:
@@ -5458,10 +5542,18 @@ class SecretsMountPostgresql(dict):
             suggest = "max_open_connections"
         elif key == "pluginName":
             suggest = "plugin_name"
+        elif key == "privateKey":
+            suggest = "private_key"
         elif key == "rootRotationStatements":
             suggest = "root_rotation_statements"
+        elif key == "selfManaged":
+            suggest = "self_managed"
         elif key == "serviceAccountJson":
             suggest = "service_account_json"
+        elif key == "tlsCa":
+            suggest = "tls_ca"
+        elif key == "tlsCertificate":
+            suggest = "tls_certificate"
         elif key == "usernameTemplate":
             suggest = "username_template"
         elif key == "verifyConnection":
@@ -5490,8 +5582,12 @@ class SecretsMountPostgresql(dict):
                  max_open_connections: Optional[int] = None,
                  password: Optional[str] = None,
                  plugin_name: Optional[str] = None,
+                 private_key: Optional[str] = None,
                  root_rotation_statements: Optional[Sequence[str]] = None,
+                 self_managed: Optional[bool] = None,
                  service_account_json: Optional[str] = None,
+                 tls_ca: Optional[str] = None,
+                 tls_certificate: Optional[str] = None,
                  username: Optional[str] = None,
                  username_template: Optional[str] = None,
                  verify_connection: Optional[bool] = None):
@@ -5510,8 +5606,12 @@ class SecretsMountPostgresql(dict):
         :param int max_open_connections: Maximum number of open connections to the database.
         :param str password: The root credential password used in the connection URL
         :param str plugin_name: Specifies the name of the plugin to use.
+        :param str private_key: The secret key used for the x509 client certificate. Must be PEM encoded.
         :param Sequence[str] root_rotation_statements: A list of database statements to be executed to rotate the root user's credentials.
+        :param bool self_managed: If set, allows onboarding static roles with a rootless connection configuration.
         :param str service_account_json: A JSON encoded credential for use with IAM authorization
+        :param str tls_ca: The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded.
+        :param str tls_certificate: The x509 client certificate for connecting to the database. Must be PEM encoded.
         :param str username: The root credential username used in the connection URL
         :param str username_template: Username generation template.
         :param bool verify_connection: Whether the connection should be verified on
@@ -5538,10 +5638,18 @@ class SecretsMountPostgresql(dict):
             pulumi.set(__self__, "password", password)
         if plugin_name is not None:
             pulumi.set(__self__, "plugin_name", plugin_name)
+        if private_key is not None:
+            pulumi.set(__self__, "private_key", private_key)
         if root_rotation_statements is not None:
             pulumi.set(__self__, "root_rotation_statements", root_rotation_statements)
+        if self_managed is not None:
+            pulumi.set(__self__, "self_managed", self_managed)
         if service_account_json is not None:
             pulumi.set(__self__, "service_account_json", service_account_json)
+        if tls_ca is not None:
+            pulumi.set(__self__, "tls_ca", tls_ca)
+        if tls_certificate is not None:
+            pulumi.set(__self__, "tls_certificate", tls_certificate)
         if username is not None:
             pulumi.set(__self__, "username", username)
         if username_template is not None:
@@ -5640,6 +5748,14 @@ class SecretsMountPostgresql(dict):
         """
         return pulumi.get(self, "plugin_name")
 
+    @property
+    @pulumi.getter(name="privateKey")
+    def private_key(self) -> Optional[str]:
+        """
+        The secret key used for the x509 client certificate. Must be PEM encoded.
+        """
+        return pulumi.get(self, "private_key")
+
     @property
     @pulumi.getter(name="rootRotationStatements")
     def root_rotation_statements(self) -> Optional[Sequence[str]]:
@@ -5648,6 +5764,14 @@ class SecretsMountPostgresql(dict):
         """
         return pulumi.get(self, "root_rotation_statements")
 
+    @property
+    @pulumi.getter(name="selfManaged")
+    def self_managed(self) -> Optional[bool]:
+        """
+        If set, allows onboarding static roles with a rootless connection configuration.
+        """
+        return pulumi.get(self, "self_managed")
+
     @property
     @pulumi.getter(name="serviceAccountJson")
     def service_account_json(self) -> Optional[str]:
@@ -5656,6 +5780,22 @@ class SecretsMountPostgresql(dict):
         """
         return pulumi.get(self, "service_account_json")
 
+    @property
+    @pulumi.getter(name="tlsCa")
+    def tls_ca(self) -> Optional[str]:
+        """
+        The x509 CA file for validating the certificate presented by the PostgreSQL server. Must be PEM encoded.
+        """
+        return pulumi.get(self, "tls_ca")
+
+    @property
+    @pulumi.getter(name="tlsCertificate")
+    def tls_certificate(self) -> Optional[str]:
+        """
+        The x509 client certificate for connecting to the database. Must be PEM encoded.
+        """
+        return pulumi.get(self, "tls_certificate")
+
     @property
     @pulumi.getter
     def username(self) -> Optional[str]:

pulumi_vault/database/secret_backend_static_role.py

@@ -27,7 +27,8 @@ class SecretBackendStaticRoleArgs:
                  rotation_period: Optional[pulumi.Input[int]] = None,
                  rotation_schedule: Optional[pulumi.Input[str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 rotation_window: Optional[pulumi.Input[int]] = None):
+                 rotation_window: Optional[pulumi.Input[int]] = None,
+                 self_managed_password: Optional[pulumi.Input[str]] = None):
         """
         The set of arguments for constructing a SecretBackendStaticRole resource.
         :param pulumi.Input[str] backend: The unique name of the Vault mount to configure.
@@ -48,6 +49,9 @@ class SecretBackendStaticRoleArgs:
         :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
         :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
                from a given `rotation_schedule`.
+        :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
+               Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+               select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
         """
         pulumi.set(__self__, "backend", backend)
         pulumi.set(__self__, "db_name", db_name)
@@ -64,6 +68,8 @@ class SecretBackendStaticRoleArgs:
             pulumi.set(__self__, "rotation_statements", rotation_statements)
         if rotation_window is not None:
             pulumi.set(__self__, "rotation_window", rotation_window)
+        if self_managed_password is not None:
+            pulumi.set(__self__, "self_managed_password", self_managed_password)
 
     @property
     @pulumi.getter
@@ -182,6 +188,20 @@ class SecretBackendStaticRoleArgs:
     def rotation_window(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "rotation_window", value)
 
+    @property
+    @pulumi.getter(name="selfManagedPassword")
+    def self_managed_password(self) -> Optional[pulumi.Input[str]]:
+        """
+        The password corresponding to the username in the database.
+        Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+        select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        """
+        return pulumi.get(self, "self_managed_password")
+
+    @self_managed_password.setter
+    def self_managed_password(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "self_managed_password", value)
+
 
 @pulumi.input_type
 class _SecretBackendStaticRoleState:
@@ -194,6 +214,7 @@ class _SecretBackendStaticRoleState:
                  rotation_schedule: Optional[pulumi.Input[str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  rotation_window: Optional[pulumi.Input[int]] = None,
+                 self_managed_password: Optional[pulumi.Input[str]] = None,
                  username: Optional[pulumi.Input[str]] = None):
         """
         Input properties used for looking up and filtering SecretBackendStaticRole resources.
@@ -214,6 +235,9 @@ class _SecretBackendStaticRoleState:
         :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
         :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
                from a given `rotation_schedule`.
+        :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
+               Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+               select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[str] username: The database username that this static role corresponds to.
         """
         if backend is not None:
@@ -232,6 +256,8 @@ class _SecretBackendStaticRoleState:
             pulumi.set(__self__, "rotation_statements", rotation_statements)
         if rotation_window is not None:
             pulumi.set(__self__, "rotation_window", rotation_window)
+        if self_managed_password is not None:
+            pulumi.set(__self__, "self_managed_password", self_managed_password)
         if username is not None:
             pulumi.set(__self__, "username", username)
 
@@ -340,6 +366,20 @@ class _SecretBackendStaticRoleState:
     def rotation_window(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "rotation_window", value)
 
+    @property
+    @pulumi.getter(name="selfManagedPassword")
+    def self_managed_password(self) -> Optional[pulumi.Input[str]]:
+        """
+        The password corresponding to the username in the database.
+        Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+        select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        """
+        return pulumi.get(self, "self_managed_password")
+
+    @self_managed_password.setter
+    def self_managed_password(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "self_managed_password", value)
+
     @property
     @pulumi.getter
     def username(self) -> Optional[pulumi.Input[str]]:
@@ -366,6 +406,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                  rotation_schedule: Optional[pulumi.Input[str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  rotation_window: Optional[pulumi.Input[int]] = None,
+                 self_managed_password: Optional[pulumi.Input[str]] = None,
                  username: Optional[pulumi.Input[str]] = None,
                  __props__=None):
         """
@@ -435,6 +476,9 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
         :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
                from a given `rotation_schedule`.
+        :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
+               Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+               select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[str] username: The database username that this static role corresponds to.
         """
         ...
@@ -514,6 +558,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
                  rotation_schedule: Optional[pulumi.Input[str]] = None,
                  rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  rotation_window: Optional[pulumi.Input[int]] = None,
+                 self_managed_password: Optional[pulumi.Input[str]] = None,
                  username: Optional[pulumi.Input[str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
@@ -536,9 +581,12 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             __props__.__dict__["rotation_schedule"] = rotation_schedule
             __props__.__dict__["rotation_statements"] = rotation_statements
             __props__.__dict__["rotation_window"] = rotation_window
+            __props__.__dict__["self_managed_password"] = None if self_managed_password is None else pulumi.Output.secret(self_managed_password)
             if username is None and not opts.urn:
                 raise TypeError("Missing required property 'username'")
             __props__.__dict__["username"] = username
+        secret_opts = pulumi.ResourceOptions(additional_secret_outputs=["selfManagedPassword"])
+        opts = pulumi.ResourceOptions.merge(opts, secret_opts)
         super(SecretBackendStaticRole, __self__).__init__(
             'vault:database/secretBackendStaticRole:SecretBackendStaticRole',
             resource_name,
@@ -557,6 +605,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
             rotation_schedule: Optional[pulumi.Input[str]] = None,
             rotation_statements: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
             rotation_window: Optional[pulumi.Input[int]] = None,
+            self_managed_password: Optional[pulumi.Input[str]] = None,
             username: Optional[pulumi.Input[str]] = None) -> 'SecretBackendStaticRole':
         """
         Get an existing SecretBackendStaticRole resource's state with the given name, id, and optional extra
@@ -582,6 +631,9 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[str]]] rotation_statements: Database statements to execute to rotate the password for the configured database user.
         :param pulumi.Input[int] rotation_window: The amount of time, in seconds, in which rotations are allowed to occur starting
                from a given `rotation_schedule`.
+        :param pulumi.Input[str] self_managed_password: The password corresponding to the username in the database.
+               Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+               select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
         :param pulumi.Input[str] username: The database username that this static role corresponds to.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
@@ -596,6 +648,7 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         __props__.__dict__["rotation_schedule"] = rotation_schedule
         __props__.__dict__["rotation_statements"] = rotation_statements
         __props__.__dict__["rotation_window"] = rotation_window
+        __props__.__dict__["self_managed_password"] = self_managed_password
         __props__.__dict__["username"] = username
         return SecretBackendStaticRole(resource_name, opts=opts, __props__=__props__)
 
@@ -672,6 +725,16 @@ class SecretBackendStaticRole(pulumi.CustomResource):
         """
         return pulumi.get(self, "rotation_window")
 
+    @property
+    @pulumi.getter(name="selfManagedPassword")
+    def self_managed_password(self) -> pulumi.Output[Optional[str]]:
+        """
+        The password corresponding to the username in the database.
+        Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
+        select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
+        """
+        return pulumi.get(self, "self_managed_password")
+
     @property
     @pulumi.getter
     def username(self) -> pulumi.Output[str]:

pulumi_vault/gcp/secret_impersonated_account.py

@@ -23,7 +23,8 @@ class SecretImpersonatedAccountArgs:
                  impersonated_account: pulumi.Input[str],
                  service_account_email: pulumi.Input[str],
                  namespace: Optional[pulumi.Input[str]] = None,
-                 token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+                 token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 ttl: Optional[pulumi.Input[str]] = None):
         """
         The set of arguments for constructing a SecretImpersonatedAccount resource.
         :param pulumi.Input[str] backend: Path where the GCP Secrets Engine is mounted
@@ -31,6 +32,8 @@ class SecretImpersonatedAccountArgs:
         :param pulumi.Input[str] service_account_email: Email of the GCP service account to impersonate.
         :param pulumi.Input[str] namespace: Target namespace. (requires Enterprise)
         :param pulumi.Input[Sequence[pulumi.Input[str]]] token_scopes: List of OAuth scopes to assign to access tokens generated under this impersonated account.
+        :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role.
+               Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
         """
         pulumi.set(__self__, "backend", backend)
         pulumi.set(__self__, "impersonated_account", impersonated_account)
@@ -39,6 +42,8 @@ class SecretImpersonatedAccountArgs:
             pulumi.set(__self__, "namespace", namespace)
         if token_scopes is not None:
             pulumi.set(__self__, "token_scopes", token_scopes)
+        if ttl is not None:
+            pulumi.set(__self__, "ttl", ttl)
 
     @property
     @pulumi.getter
@@ -100,6 +105,19 @@ class SecretImpersonatedAccountArgs:
     def token_scopes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "token_scopes", value)
 
+    @property
+    @pulumi.getter
+    def ttl(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies the default TTL for service principals generated using this role.
+        Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+        """
+        return pulumi.get(self, "ttl")
+
+    @ttl.setter
+    def ttl(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "ttl", value)
+
 
 @pulumi.input_type
 class _SecretImpersonatedAccountState:
@@ -109,7 +127,8 @@ class _SecretImpersonatedAccountState:
                  namespace: Optional[pulumi.Input[str]] = None,
                  service_account_email: Optional[pulumi.Input[str]] = None,
                  service_account_project: Optional[pulumi.Input[str]] = None,
-                 token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+                 token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 ttl: Optional[pulumi.Input[str]] = None):
         """
         Input properties used for looking up and filtering SecretImpersonatedAccount resources.
         :param pulumi.Input[str] backend: Path where the GCP Secrets Engine is mounted
@@ -118,6 +137,8 @@ class _SecretImpersonatedAccountState:
         :param pulumi.Input[str] service_account_email: Email of the GCP service account to impersonate.
         :param pulumi.Input[str] service_account_project: Project the service account belongs to.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] token_scopes: List of OAuth scopes to assign to access tokens generated under this impersonated account.
+        :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role.
+               Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
         """
         if backend is not None:
             pulumi.set(__self__, "backend", backend)
@@ -131,6 +152,8 @@ class _SecretImpersonatedAccountState:
             pulumi.set(__self__, "service_account_project", service_account_project)
         if token_scopes is not None:
             pulumi.set(__self__, "token_scopes", token_scopes)
+        if ttl is not None:
+            pulumi.set(__self__, "ttl", ttl)
 
     @property
     @pulumi.getter
@@ -204,6 +227,19 @@ class _SecretImpersonatedAccountState:
     def token_scopes(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "token_scopes", value)
 
+    @property
+    @pulumi.getter
+    def ttl(self) -> Optional[pulumi.Input[str]]:
+        """
+        Specifies the default TTL for service principals generated using this role.
+        Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+        """
+        return pulumi.get(self, "ttl")
+
+    @ttl.setter
+    def ttl(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "ttl", value)
+
 
 class SecretImpersonatedAccount(pulumi.CustomResource):
     @overload
@@ -215,6 +251,7 @@ class SecretImpersonatedAccount(pulumi.CustomResource):
                  namespace: Optional[pulumi.Input[str]] = None,
                  service_account_email: Optional[pulumi.Input[str]] = None,
                  token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 ttl: Optional[pulumi.Input[str]] = None,
                  __props__=None):
         """
         Creates a Impersonated Account in the [GCP Secrets Engine](https://www.vaultproject.io/docs/secrets/gcp/index.html) for Vault.
@@ -256,6 +293,8 @@ class SecretImpersonatedAccount(pulumi.CustomResource):
         :param pulumi.Input[str] namespace: Target namespace. (requires Enterprise)
         :param pulumi.Input[str] service_account_email: Email of the GCP service account to impersonate.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] token_scopes: List of OAuth scopes to assign to access tokens generated under this impersonated account.
+        :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role.
+               Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
         """
         ...
     @overload
@@ -316,6 +355,7 @@ class SecretImpersonatedAccount(pulumi.CustomResource):
                  namespace: Optional[pulumi.Input[str]] = None,
                  service_account_email: Optional[pulumi.Input[str]] = None,
                  token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 ttl: Optional[pulumi.Input[str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -336,6 +376,7 @@ class SecretImpersonatedAccount(pulumi.CustomResource):
                 raise TypeError("Missing required property 'service_account_email'")
             __props__.__dict__["service_account_email"] = service_account_email
             __props__.__dict__["token_scopes"] = token_scopes
+            __props__.__dict__["ttl"] = ttl
             __props__.__dict__["service_account_project"] = None
         super(SecretImpersonatedAccount, __self__).__init__(
             'vault:gcp/secretImpersonatedAccount:SecretImpersonatedAccount',
@@ -352,7 +393,8 @@ class SecretImpersonatedAccount(pulumi.CustomResource):
             namespace: Optional[pulumi.Input[str]] = None,
             service_account_email: Optional[pulumi.Input[str]] = None,
             service_account_project: Optional[pulumi.Input[str]] = None,
-            token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None) -> 'SecretImpersonatedAccount':
+            token_scopes: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+            ttl: Optional[pulumi.Input[str]] = None) -> 'SecretImpersonatedAccount':
         """
         Get an existing SecretImpersonatedAccount resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -366,6 +408,8 @@ class SecretImpersonatedAccount(pulumi.CustomResource):
         :param pulumi.Input[str] service_account_email: Email of the GCP service account to impersonate.
         :param pulumi.Input[str] service_account_project: Project the service account belongs to.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] token_scopes: List of OAuth scopes to assign to access tokens generated under this impersonated account.
+        :param pulumi.Input[str] ttl: Specifies the default TTL for service principals generated using this role.
+               Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
@@ -377,6 +421,7 @@ class SecretImpersonatedAccount(pulumi.CustomResource):
         __props__.__dict__["service_account_email"] = service_account_email
         __props__.__dict__["service_account_project"] = service_account_project
         __props__.__dict__["token_scopes"] = token_scopes
+        __props__.__dict__["ttl"] = ttl
         return SecretImpersonatedAccount(resource_name, opts=opts, __props__=__props__)
 
     @property
@@ -427,3 +472,12 @@ class SecretImpersonatedAccount(pulumi.CustomResource):
         """
         return pulumi.get(self, "token_scopes")
 
+    @property
+    @pulumi.getter
+    def ttl(self) -> pulumi.Output[str]:
+        """
+        Specifies the default TTL for service principals generated using this role.
+        Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
+        """
+        return pulumi.get(self, "ttl")
+