diff --git a/plugin/secrets_service_account_key.go b/plugin/secrets_service_account_key.go
index bbbb245d..fb09f7e4 100644
--- a/plugin/secrets_service_account_key.go
+++ b/plugin/secrets_service_account_key.go
@@ -3,6 +3,7 @@ package gcpsecrets
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -57,6 +58,10 @@ func pathSecretServiceAccountKey(b *backend) *framework.Path {
 				Description: fmt.Sprintf(`Private key type for service account key - defaults to %s"`, privateKeyTypeJson),
 				Default:     privateKeyTypeJson,
 			},
+			"ttl": &framework.FieldSchema{
+				Type:        framework.TypeDurationSecond,
+				Description: "Lifetime of the service account key",
+			},
 		},
 		ExistenceCheck: b.pathRoleSetExistenceCheck,
 		Operations: map[logical.Operation]framework.OperationHandler{
@@ -72,6 +77,7 @@ func (b *backend) pathServiceAccountKey(ctx context.Context, req *logical.Reques
 	rsName := d.Get("roleset").(string)
 	keyType := d.Get("key_type").(string)
 	keyAlg := d.Get("key_algorithm").(string)
+	ttl := d.Get("ttl").(int)
 
 	rs, err := getRoleSet(rsName, ctx, req.Storage)
 	if err != nil {
@@ -85,7 +91,7 @@ func (b *backend) pathServiceAccountKey(ctx context.Context, req *logical.Reques
 		return logical.ErrorResponse(fmt.Sprintf("role set '%s' cannot generate service account keys (has secret type %s)", rsName, rs.SecretType)), nil
 	}
 
-	return b.getSecretKey(ctx, req.Storage, rs, keyType, keyAlg)
+	return b.getSecretKey(ctx, req.Storage, rs, keyType, keyAlg, ttl)
 }
 
 func (b *backend) secretKeyRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
@@ -167,7 +173,7 @@ func (b *backend) secretKeyRevoke(ctx context.Context, req *logical.Request, d *
 	return nil, nil
 }
 
-func (b *backend) getSecretKey(ctx context.Context, s logical.Storage, rs *RoleSet, keyType, keyAlgorithm string) (*logical.Response, error) {
+func (b *backend) getSecretKey(ctx context.Context, s logical.Storage, rs *RoleSet, keyType, keyAlgorithm string, ttl int) (*logical.Response, error) {
 	cfg, err := getConfig(ctx, s)
 	if err != nil {
 		return nil, errwrap.Wrapf("could not read backend config: {{err}}", err)
@@ -207,9 +213,12 @@ func (b *backend) getSecretKey(ctx context.Context, s logical.Storage, rs *RoleS
 	}
 
 	resp := b.Secret(SecretTypeKey).Response(secretD, internalD)
-	resp.Secret.TTL = cfg.TTL
-	resp.Secret.MaxTTL = cfg.MaxTTL
 	resp.Secret.Renewable = true
+
+	if ttl > 0 {
+		resp.Secret.TTL = time.Duration(ttl) * time.Second
+	}
+
 	return resp, nil
 }
 
diff --git a/scripts/dev.sh b/scripts/dev.sh
new file mode 100755
index 00000000..9c94d615
--- /dev/null
+++ b/scripts/dev.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -eEuo pipefail
+
+MNT_PATH="gcp"
+PLUGIN_NAME="vault-plugin-secrets-gcp"
+
+#
+# Helper script for local development. Automatically builds and registers the
+# plugin. Requires `vault` is installed and available on $PATH.
+#
+
+# Get the right dir
+DIR="$(cd "$(dirname "$(readlink "$0")")" && pwd)"
+
+echo "==> Starting dev"
+
+echo "--> Scratch dir"
+echo "    Creating"
+SCRATCH="${DIR}/tmp"
+mkdir -p "${SCRATCH}/plugins"
+
+function cleanup {
+  echo ""
+  echo "==> Cleaning up"
+  kill -INT "${VAULT_PID}"
+  rm -rf "${SCRATCH}"
+}
+trap cleanup EXIT
+
+echo "--> Building"
+go build -o "${SCRATCH}/plugins/${PLUGIN_NAME}"
+
+echo "--> Starting server"
+
+export VAULT_TOKEN="root"
+export VAULT_ADDR="http://127.0.0.1:8200"
+
+vault server \
+  -dev \
+  -dev-plugin-init \
+  -dev-plugin-dir "${SCRATCH}/plugins" \
+  -dev-root-token-id "root" \
+  -log-level "debug" \
+  &
+sleep 2
+VAULT_PID=$!
+
+echo "    Mouting plugin"
+vault secrets enable -path=${MNT_PATH} -plugin-name=${PLUGIN_NAME} plugin
+
+echo "==> Ready!"
+wait ${VAULT_PID}
diff --git a/scripts/local_dev.sh b/scripts/local_dev.sh
deleted file mode 100755
index 2e5b929c..00000000
--- a/scripts/local_dev.sh
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-MNT_PATH="gcp"
-PLUGIN_NAME="vault-plugin-secrets-gcp"
-#
-# Helper script for local development. Automatically builds and registers the
-# plugin. Requires `vault` is installed and available on $PATH.
-#
-
-# Get the right dir
-DIR="$(cd "$(dirname "$(readlink "$0")")" && pwd)"
-
-echo "==> Starting dev"
-
-echo "--> Scratch dir"
-echo "    Creating"
-SCRATCH="$DIR/tmp"
-mkdir -p "$SCRATCH/plugins"
-
-echo "--> Vault server"
-echo "    Writing config"
-tee "$SCRATCH/vault.hcl" > /dev/null <<EOF
-plugin_directory = "$SCRATCH/plugins"
-EOF
-
-echo "    Envvars"
-export VAULT_DEV_ROOT_TOKEN_ID="root"
-export VAULT_ADDR="http://127.0.0.1:8200"
-
-echo "    Starting"
-vault server \
-  -dev \
-  -log-level="debug" \
-  -config="$SCRATCH/vault.hcl" \
-  &
-sleep 2
-VAULT_PID=$!
-
-function cleanup {
-  echo ""
-  echo "==> Cleaning up"
-  kill -INT "$VAULT_PID"
-  rm -rf "$SCRATCH"
-}
-trap cleanup EXIT
-
-echo "    Authing"
-vault auth root &>/dev/null
-
-echo "--> Building"
-go build -o "$SCRATCH/plugins/$PLUGIN_NAME"
-SHASUM=$(shasum -a 256 "$SCRATCH/plugins/$PLUGIN_NAME" | cut -d " " -f1)
-
-echo "    Registering plugin"
-vault write sys/plugins/catalog/$PLUGIN_NAME \
-  sha_256="$SHASUM" \
-  command="$PLUGIN_NAME"
-
-echo "    Mouting plugin"
-vault secrets enable -path=$MNT_PATH -plugin-name=$PLUGIN_NAME plugin
-
-echo "==> Ready!"
-wait $!
-