diff --git a/nodeup/pkg/model/bootstrap_client.go b/nodeup/pkg/model/bootstrap_client.go
index a118c85a35..5095b3cfa6 100644
--- a/nodeup/pkg/model/bootstrap_client.go
+++ b/nodeup/pkg/model/bootstrap_client.go
@@ -43,7 +43,7 @@ func (b BootstrapClientBuilder) Build(c *fi.ModelBuilderContext) error {
 
 	var authenticator bootstrap.Authenticator
 	var err error
-	switch kops.CloudProviderID(b.Cluster.Spec.CloudProvider) {
+	switch b.CloudProvider {
 	case kops.CloudProviderAWS:
 		authenticator, err = awsup.NewAWSAuthenticator(b.Cloud.Region())
 	case kops.CloudProviderGCE:
@@ -52,7 +52,7 @@ func (b BootstrapClientBuilder) Build(c *fi.ModelBuilderContext) error {
 		// instead we use this as a check that protokube has now started.
 
 	default:
-		return fmt.Errorf("unsupported cloud provider for authenticator %q", b.Cluster.Spec.CloudProvider)
+		return fmt.Errorf("unsupported cloud provider for authenticator %q", b.CloudProvider)
 	}
 
 	if err != nil {
diff --git a/nodeup/pkg/model/cloudconfig.go b/nodeup/pkg/model/cloudconfig.go
index 79fb7b380a..0c2c1ed1b3 100644
--- a/nodeup/pkg/model/cloudconfig.go
+++ b/nodeup/pkg/model/cloudconfig.go
@@ -86,7 +86,7 @@ func (b *CloudConfigBuilder) build(c *fi.ModelBuilderContext, inTree bool) error
 	// Add cloud config file if needed
 	var lines []string
 
-	cloudProvider := b.Cluster.Spec.CloudProvider
+	cloudProvider := b.CloudProvider
 	cloudConfig := b.Cluster.Spec.CloudConfig
 
 	if cloudConfig == nil {
diff --git a/nodeup/pkg/model/cloudconfig_test.go b/nodeup/pkg/model/cloudconfig_test.go
index 89241c45f1..6643b633a1 100644
--- a/nodeup/pkg/model/cloudconfig_test.go
+++ b/nodeup/pkg/model/cloudconfig_test.go
@@ -63,7 +63,8 @@ func TestBuildAzure(t *testing.T) {
 
 	b := &CloudConfigBuilder{
 		NodeupModelContext: &NodeupModelContext{
-			Cluster: cluster,
+			CloudProvider: kops.CloudProviderAzure,
+			Cluster:       cluster,
 		},
 	}
 	ctx := &fi.ModelBuilderContext{
@@ -131,7 +132,8 @@ func TestBuildAWSCustomNodeIPFamilies(t *testing.T) {
 
 	b := &CloudConfigBuilder{
 		NodeupModelContext: &NodeupModelContext{
-			Cluster: cluster,
+			CloudProvider: kops.CloudProviderAWS,
+			Cluster:       cluster,
 		},
 	}
 	ctx := &fi.ModelBuilderContext{
diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go
index 481fa1ae89..75ddf193e2 100644
--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@@ -72,6 +72,8 @@ type NodeupModelContext struct {
 	ConfigurationMode string
 	InstanceID        string
 	MachineType       string
+
+	CloudProvider kops.CloudProviderID
 }
 
 // Init completes initialization of the object, for example pre-parsing the kubernetes version
@@ -613,5 +615,5 @@ func (c *NodeupModelContext) InstallNvidiaRuntime() bool {
 
 // RunningOnGCE returns true if we are running on GCE
 func (c *NodeupModelContext) RunningOnGCE() bool {
-	return kops.CloudProviderID(c.Cluster.Spec.CloudProvider) == kops.CloudProviderGCE
+	return c.CloudProvider == kops.CloudProviderGCE
 }
diff --git a/nodeup/pkg/model/kube_apiserver.go b/nodeup/pkg/model/kube_apiserver.go
index f816fc0ccb..bcee963d4a 100644
--- a/nodeup/pkg/model/kube_apiserver.go
+++ b/nodeup/pkg/model/kube_apiserver.go
@@ -378,7 +378,7 @@ func (b *KubeAPIServerBuilder) writeServerCertificate(c *fi.ModelBuilderContext,
 		// We also want to be able to reference it locally via https://127.0.0.1
 		alternateNames = append(alternateNames, "127.0.0.1")
 
-		if b.Cluster.Spec.CloudProvider == "openstack" {
+		if b.CloudProvider == kops.CloudProviderOpenstack {
 			if b.Cluster.Spec.Topology != nil && b.Cluster.Spec.Topology.Masters == kops.TopologyPrivate {
 				instanceAddress, err := getInstanceAddress()
 				if err != nil {
diff --git a/nodeup/pkg/model/kubelet.go b/nodeup/pkg/model/kubelet.go
index 9ab72d5df4..8308ca968e 100644
--- a/nodeup/pkg/model/kubelet.go
+++ b/nodeup/pkg/model/kubelet.go
@@ -599,7 +599,7 @@ func (b *KubeletBuilder) buildKubeletServingCertificate(c *fi.ModelBuilderContex
 }
 
 func (b *KubeletBuilder) kubeletNames() ([]string, error) {
-	if kops.CloudProviderID(b.Cluster.Spec.CloudProvider) != kops.CloudProviderAWS {
+	if b.CloudProvider != kops.CloudProviderAWS {
 		name, err := os.Hostname()
 		if err != nil {
 			return nil, err
diff --git a/nodeup/pkg/model/kubelet_test.go b/nodeup/pkg/model/kubelet_test.go
index 50415232df..66039b1fde 100644
--- a/nodeup/pkg/model/kubelet_test.go
+++ b/nodeup/pkg/model/kubelet_test.go
@@ -253,8 +253,9 @@ func BuildNodeupModelContext(model *testutils.Model) (*NodeupModelContext, error
 	}
 
 	nodeupModelContext := &NodeupModelContext{
-		Architecture: "amd64",
-		BootConfig:   &nodeup.BootConfig{},
+		Architecture:  "amd64",
+		BootConfig:    &nodeup.BootConfig{},
+		CloudProvider: kops.CloudProviderID(model.Cluster.Spec.CloudProvider),
 		NodeupConfig: &nodeup.Config{
 			CAs:        map[string]string{},
 			KeypairIDs: map[string]string{},
diff --git a/nodeup/pkg/model/ntp.go b/nodeup/pkg/model/ntp.go
index 0cc33a86f3..ea147a0871 100644
--- a/nodeup/pkg/model/ntp.go
+++ b/nodeup/pkg/model/ntp.go
@@ -18,6 +18,7 @@ package model
 
 import (
 	"k8s.io/klog/v2"
+	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 	"k8s.io/kops/util/pkg/distributions"
@@ -49,10 +50,10 @@ func (b *NTPBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 
 	var ntpHost string
-	switch b.Cluster.Spec.CloudProvider {
-	case "aws":
+	switch b.CloudProvider {
+	case kops.CloudProviderAWS:
 		ntpHost = "169.254.169.123"
-	case "gce":
+	case kops.CloudProviderGCE:
 		ntpHost = "time.google.com"
 	default:
 		ntpHost = ""
diff --git a/nodeup/pkg/model/protokube.go b/nodeup/pkg/model/protokube.go
index 21f907e4bb..3558c66004 100644
--- a/nodeup/pkg/model/protokube.go
+++ b/nodeup/pkg/model/protokube.go
@@ -231,11 +231,11 @@ func (t *ProtokubeBuilder) ProtokubeFlags(k8sVersion semver.Version) (*Protokube
 		f.DNSInternalSuffix = fi.String(internalSuffix)
 	}
 
-	if t.Cluster.Spec.CloudProvider != "" {
-		f.Cloud = fi.String(t.Cluster.Spec.CloudProvider)
+	if t.CloudProvider != "" {
+		f.Cloud = fi.String(string(t.CloudProvider))
 
 		if f.DNSProvider == nil {
-			switch kops.CloudProviderID(t.Cluster.Spec.CloudProvider) {
+			switch t.CloudProvider {
 			case kops.CloudProviderAWS:
 				f.DNSProvider = fi.String("aws-route53")
 			case kops.CloudProviderDO:
@@ -243,7 +243,7 @@ func (t *ProtokubeBuilder) ProtokubeFlags(k8sVersion semver.Version) (*Protokube
 			case kops.CloudProviderGCE:
 				f.DNSProvider = fi.String("google-clouddns")
 			default:
-				klog.Warningf("Unknown cloudprovider %q; won't set DNS provider", t.Cluster.Spec.CloudProvider)
+				klog.Warningf("Unknown cloudprovider %q; won't set DNS provider", t.CloudProvider)
 			}
 		}
 	}
@@ -327,7 +327,7 @@ func (t *ProtokubeBuilder) buildEnvFile() (*nodetasks.File, error) {
 		}
 	}
 
-	if kops.CloudProviderID(t.Cluster.Spec.CloudProvider) == kops.CloudProviderDO && os.Getenv("DIGITALOCEAN_ACCESS_TOKEN") != "" {
+	if t.CloudProvider == kops.CloudProviderDO && os.Getenv("DIGITALOCEAN_ACCESS_TOKEN") != "" {
 		envVars["DIGITALOCEAN_ACCESS_TOKEN"] = os.Getenv("DIGITALOCEAN_ACCESS_TOKEN")
 	}
 
diff --git a/nodeup/pkg/model/sysctls.go b/nodeup/pkg/model/sysctls.go
index 8396d7dd59..f1f29ffa90 100644
--- a/nodeup/pkg/model/sysctls.go
+++ b/nodeup/pkg/model/sysctls.go
@@ -133,7 +133,7 @@ func (b *SysctlBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 	}
 
-	if b.Cluster.Spec.CloudProvider == string(kops.CloudProviderAWS) {
+	if b.CloudProvider == kops.CloudProviderAWS {
 		sysctls = append(sysctls,
 			"# AWS settings",
 			"",
diff --git a/nodeup/pkg/model/warm_pool.go b/nodeup/pkg/model/warm_pool.go
index e867bcb76a..26470396d7 100644
--- a/nodeup/pkg/model/warm_pool.go
+++ b/nodeup/pkg/model/warm_pool.go
@@ -30,7 +30,7 @@ var _ fi.ModelBuilder = &WarmPoolBuilder{}
 
 func (b *WarmPoolBuilder) Build(c *fi.ModelBuilderContext) error {
 	// Check if the cloud provider is AWS
-	if b.Cluster == nil || b.Cluster.Spec.CloudProvider != string(kops.CloudProviderAWS) {
+	if b.CloudProvider != kops.CloudProviderAWS {
 		return nil
 	}
 
diff --git a/upup/pkg/fi/nodeup/command.go b/upup/pkg/fi/nodeup/command.go
index 55bdc04a23..1db3166c2f 100644
--- a/upup/pkg/fi/nodeup/command.go
+++ b/upup/pkg/fi/nodeup/command.go
@@ -182,7 +182,12 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 		return fmt.Errorf("nodeup config hash mismatch")
 	}
 
-	err = evaluateSpec(c, &nodeupConfig)
+	cloudProvider := api.CloudProviderID(bootConfig.CloudProvider)
+	if cloudProvider == "" {
+		cloudProvider = api.CloudProviderID(c.cluster.Spec.CloudProvider)
+	}
+
+	err = evaluateSpec(c, &nodeupConfig, cloudProvider)
 	if err != nil {
 		return err
 	}
@@ -208,7 +213,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 
 	var cloud fi.Cloud
 
-	if api.CloudProviderID(c.cluster.Spec.CloudProvider) == api.CloudProviderAWS {
+	if cloudProvider == api.CloudProviderAWS {
 		awsCloud, err := awsup.NewAWSCloud(region, nil)
 		if err != nil {
 			return err
@@ -217,14 +222,15 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 	}
 
 	modelContext := &model.NodeupModelContext{
-		Cloud:        cloud,
-		Architecture: architecture,
-		Assets:       assetStore,
-		Cluster:      c.cluster,
-		ConfigBase:   configBase,
-		Distribution: distribution,
-		BootConfig:   &bootConfig,
-		NodeupConfig: &nodeupConfig,
+		Cloud:         cloud,
+		CloudProvider: cloudProvider,
+		Architecture:  architecture,
+		Assets:        assetStore,
+		Cluster:       c.cluster,
+		ConfigBase:    configBase,
+		Distribution:  distribution,
+		BootConfig:    &bootConfig,
+		NodeupConfig:  &nodeupConfig,
 	}
 
 	var secretStore fi.SecretStore
@@ -263,7 +269,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 		return err
 	}
 
-	if api.CloudProviderID(c.cluster.Spec.CloudProvider) == api.CloudProviderAWS {
+	if cloudProvider == api.CloudProviderAWS {
 		instanceIDBytes, err := vfs.Context.ReadFile("metadata://aws/meta-data/instance-id")
 		if err != nil {
 			return fmt.Errorf("error reading instance-id from AWS metadata: %v", err)
@@ -394,7 +400,7 @@ func (c *NodeUpCommand) Run(out io.Writer) error {
 	}
 
 	if nodeupConfig.EnableLifecycleHook {
-		if api.CloudProviderID(c.cluster.Spec.CloudProvider) == api.CloudProviderAWS {
+		if cloudProvider == api.CloudProviderAWS {
 			err := completeWarmingLifecycleAction(cloud.(awsup.AWSCloud), modelContext)
 			if err != nil {
 				return fmt.Errorf("failed to complete lifecylce action: %w", err)
@@ -449,8 +455,8 @@ func completeWarmingLifecycleAction(cloud awsup.AWSCloud, modelContext *model.No
 	return nil
 }
 
-func evaluateSpec(c *NodeUpCommand, nodeupConfig *nodeup.Config) error {
-	hostnameOverride, err := evaluateHostnameOverride(api.CloudProviderID(c.cluster.Spec.CloudProvider), nodeupConfig.UseInstanceIDForNodeName)
+func evaluateSpec(c *NodeUpCommand, nodeupConfig *nodeup.Config, cloudProvider api.CloudProviderID) error {
+	hostnameOverride, err := evaluateHostnameOverride(cloudProvider, nodeupConfig.UseInstanceIDForNodeName)
 	if err != nil {
 		return err
 	}