No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I'm not 100% if its possible or not, but you definitely should not pass around AWS creds like this.

Can you elaborate? Pulumi prides itself with secrets as a first class citizen - why not use them?

(but even if "base" would store them in a key vault from where "actual" reads them, the question remains the same: How to configure the default / implicit provider at runtime?)

I believe you'll need to create an explicit provider in order to do what you're seeking.