diff --git a/enos/modules/test_cli_ui/tests.tf b/enos/modules/test_cli_ui/tests.tf
index 32fc67fef3..7e33e88c7b 100644
--- a/enos/modules/test_cli_ui/tests.tf
+++ b/enos/modules/test_cli_ui/tests.tf
@@ -59,8 +59,12 @@ locals {
 }
 
 resource "enos_local_exec" "create_account" {
-  environment = local.base_environment
-  inline      = ["${var.local_boundary_dir}/boundary accounts create password -auth-method-id ${var.auth_method_id} -login-name ${local.test_user} -name ${local.test_user} -password ${local.test_password} -description 'test user' -format json"]
+  environment = {
+    BOUNDARY_ADDR  = var.alb_boundary_api_addr,
+    BOUNDARY_TOKEN = local.auth_token
+    BP = ${local.test_password}
+  }
+  inline      = ["${var.local_boundary_dir}/boundary accounts create password -auth-method-id ${var.auth_method_id} -login-name ${local.test_user} -name ${local.test_user} -password env://BP -description 'test user' -format json"]
 }
 
 resource "enos_local_exec" "create_role" {
diff --git a/enos/templates/get-token.sh b/enos/templates/get-token.sh
index 61e18bad37..85b9b33d39 100644
--- a/enos/templates/get-token.sh
+++ b/enos/templates/get-token.sh
@@ -24,4 +24,5 @@ function retry {
 # make sure the ALB is up and passing healthchecks
 retry 10 curl -s -o /dev/null ${BOUNDARY_ADDR}
 
-${BOUNDARY_PATH}/boundary authenticate password -auth-method-id=${METHOD_ID} -login-name=${LOGIN_NAME} -password=${PASSWORD} -token-name=none -format=json -keyring-type=none
+export BP="${PASSWORD}"
+${BOUNDARY_PATH}/boundary authenticate password -auth-method-id=${METHOD_ID} -login-name=${LOGIN_NAME} -password=env://BP -token-name=none -format=json -keyring-type=none
diff --git a/internal/tests/cli/boundary/_auth.bash b/internal/tests/cli/boundary/_auth.bash
index d6f5300081..4fed8e639d 100644
--- a/internal/tests/cli/boundary/_auth.bash
+++ b/internal/tests/cli/boundary/_auth.bash
@@ -1,3 +1,4 @@
 function login() {
-  boundary authenticate password -auth-method-id $DEFAULT_AMPW -login-name $1 -password $DEFAULT_PASSWORD
+  export BP="${DEFAULT_PASSWORD}"
+  boundary authenticate password -auth-method-id $DEFAULT_AMPW -login-name $1 -password env://BP
 }