diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9800ef5..58afd66 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -306,9 +306,7 @@ jobs:
           sudo apt-get install apparmor-utils
           sudo aa-disable /usr/sbin/unix_chkpwd
         if: ${{ startsWith(matrix.platform, 'fedora') }}
-      - env:
-          THIRD_PARTY_BUCKET: ${{ secrets.THIRD_PARTY_BUCKET }}
-        name: Run molecule tests
+      - name: Run molecule tests
         run: >-
           molecule test
           --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
index a159241..7d56ad1 100644
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -3,7 +3,10 @@
   hosts: all
   tasks:
     - name: Include ansible-role-nessus
-      ansible.builtin.include_role:
+      # We do prepend the name of the role to the role variables, but
+      # Molecule does its own role discovery with inconsistent naming.
+      # This is the reason for the noqa below.
+      ansible.builtin.include_role: # noqa var-naming[no-role-prefix]
         name: ansible-role-nessus
       vars:
-        nessus_package_bucket: "{{ lookup('env', 'THIRD_PARTY_BUCKET') }}"
+        nessus_package_bucket: "{{ lookup('aws_ssm', '/third_party_bucket_name') }}"
diff --git a/molecule/latest/converge.yml b/molecule/latest/converge.yml
index f6f1505..d5e0a07 100644
--- a/molecule/latest/converge.yml
+++ b/molecule/latest/converge.yml
@@ -9,5 +9,5 @@
       ansible.builtin.include_role: # noqa var-naming[no-role-prefix]
         name: ansible-role-nessus
       vars:
-        nessus_package_bucket: "{{ lookup('env', 'THIRD_PARTY_BUCKET') }}"
+        nessus_package_bucket: "{{ lookup('aws_ssm', '/third_party_bucket_name') }}"
         nessus_version: "10.8.3"
diff --git a/terraform/bucket_roles.tf b/terraform/bucket_roles.tf
index 1e8b8d7..5ac2506 100644
--- a/terraform/bucket_roles.tf
+++ b/terraform/bucket_roles.tf
@@ -12,3 +12,12 @@ module "bucket_access" {
   s3_bucket   = var.nessus_bucket
   s3_objects  = [var.nessus_package_pattern]
 }
+
+# Attach third-party S3 bucket read-only policy to the role used by the test
+# user
+resource "aws_iam_role_policy_attachment" "thirdpartybucketread" {
+  provider = aws.images_provisionaccount
+
+  policy_arn = module.bucket_access.policy.arn
+  role       = module.user.role.name
+}
diff --git a/terraform/user.tf b/terraform/user.tf
index ba955d4..1c0b843 100644
--- a/terraform/user.tf
+++ b/terraform/user.tf
@@ -1,24 +1,13 @@
-# Create the test user.  We do not require SSM Parameter Store access
-# for this role, so we can simply use cisagov/ci-iam-user-tf-module
-# instead of cisagov/molecule-iam-user-tf-module.
+# Create the test user
 module "user" {
-  source = "github.com/cisagov/ci-iam-user-tf-module"
+  source = "github.com/cisagov/molecule-iam-user-tf-module"
 
   providers = {
-    aws    = aws.users
-    aws.ci = aws.images_provisionaccount
+    aws                         = aws.users
+    aws.images-provisionaccount = aws.images_provisionaccount
+    aws.images-ssm              = aws.images_ssm
   }
 
-  role_description = "A role that can be assumed to allow for CI testing of ansible-role-nessus via Molecule."
-  role_name        = "Test-ansible-role-nessus"
-  user_name        = "test-ansible-role-nessus"
-}
-
-# Attach third-party S3 bucket read-only policy to the role used by the test
-# user
-resource "aws_iam_role_policy_attachment" "thirdpartybucketread" {
-  provider = aws.images_provisionaccount
-
-  policy_arn = module.bucket_access.policy.arn
-  role       = module.user.role.name
+  entity         = "ansible-role-nessus"
+  ssm_parameters = ["/third_party_bucket_name"]
 }