CC-7056: Add credentials subcommand to containers registries (#12693)

martinezjandrew · web-flow · commit 150ef7bcaa9a · 2026-03-02T18:06:11.000-06:00
Co-authored-by: amartinez &lt;amartinez@cloudflare.com&gt;
diff --git a/.changeset/tricky-frogs-fry.md b/.changeset/tricky-frogs-fry.md
@@ -0,0 +1,21 @@
+---
+"wrangler": minor
+---
+
+Add `wrangler containers registries credentials` command for generating temporary push/pull credentials
+
+This command generates short-lived credentials for authenticating with the Cloudflare managed registry (`registry.cloudflare.com`). Useful for CI/CD pipelines or local Docker authentication.
+
+```bash
+# Generate push credentials (for uploading images)
+wrangler containers registries credentials registry.cloudflare.com --push
+
+# Generate pull credentials (for downloading images)
+wrangler containers registries credentials registry.cloudflare.com --pull
+
+# Generate credentials with both permissions
+wrangler containers registries credentials registry.cloudflare.com --push --pull
+
+# Custom expiration (default 15)
+wrangler containers registries credentials registry.cloudflare.com --push --expiration-minutes=30
+```
diff --git a/packages/wrangler/src/__tests__/containers/registries.test.ts b/packages/wrangler/src/__tests__/containers/registries.test.ts
@@ -660,6 +660,125 @@ describe("containers registries delete", () => {
 	});
 });
 
+describe("containers registries credentials", () => {
+	const { setIsTTY } = useMockIsTTY();
+	const std = mockConsoleMethods();
+	mockAccountId();
+	mockApiToken();
+	beforeEach(() => {
+		mockAccount();
+	});
+
+	afterEach(() => {
+		msw.resetHandlers();
+	});
+
+	it("should reject non-Cloudflare registry domains", async () => {
+		setIsTTY(false);
+		await expect(
+			runWrangler("containers registries credentials example.com --push")
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: The credentials command only accepts the Cloudflare managed registry (registry.cloudflare.com).]`
+		);
+	});
+
+	it("should default to Cloudflare registry when DOMAIN is omitted", async () => {
+		setIsTTY(false);
+		mockGenerateCredentials("registry.cloudflare.com", "test-password", 15, [
+			"push",
+		]);
+
+		await runWrangler("containers registries credentials --push");
+
+		expect(std.out).toMatchInlineSnapshot(`"test-password"`);
+	});
+
+	it("should require --push or --pull", async () => {
+		setIsTTY(false);
+		await expect(
+			runWrangler("containers registries credentials registry.cloudflare.com")
+		).rejects.toThrowErrorMatchingInlineSnapshot(
+			`[Error: You have to specify either --push or --pull in the command.]`
+		);
+	});
+
+	it("should generate credentials with --push", async () => {
+		setIsTTY(false);
+		mockGenerateCredentials("registry.cloudflare.com", "test-password", 15, [
+			"push",
+		]);
+
+		await runWrangler(
+			"containers registries credentials registry.cloudflare.com --push"
+		);
+
+		expect(std.out).toMatchInlineSnapshot(`"test-password"`);
+	});
+
+	it("should generate credentials with --pull", async () => {
+		setIsTTY(false);
+		mockGenerateCredentials("registry.cloudflare.com", "test-password", 15, [
+			"pull",
+		]);
+
+		await runWrangler(
+			"containers registries credentials registry.cloudflare.com --pull"
+		);
+
+		expect(std.out).toMatchInlineSnapshot(`"test-password"`);
+	});
+
+	it("should generate credentials with both --push and --pull", async () => {
+		setIsTTY(false);
+		mockGenerateCredentials("registry.cloudflare.com", "jwt-token", 15, [
+			"push",
+			"pull",
+		]);
+
+		await runWrangler(
+			"containers registries credentials registry.cloudflare.com --push --pull"
+		);
+
+		expect(std.out).toMatchInlineSnapshot(`"jwt-token"`);
+	});
+
+	it("should support custom expiration-minutes", async () => {
+		setIsTTY(false);
+		mockGenerateCredentials(
+			"registry.cloudflare.com",
+			"custom-expiry-token",
+			30,
+			["push"]
+		);
+
+		await runWrangler(
+			"containers registries credentials registry.cloudflare.com --push --expiration-minutes=30"
+		);
+
+		expect(std.out).toMatchInlineSnapshot(`"custom-expiry-token"`);
+	});
+
+	it("should output valid JSON when --json flag is used", async () => {
+		setIsTTY(false);
+		mockGenerateCredentials("registry.cloudflare.com", "test-password", 15, [
+			"push",
+		]);
+
+		await runWrangler(
+			"containers registries credentials registry.cloudflare.com --push --json"
+		);
+
+		expect(JSON.parse(std.out)).toMatchInlineSnapshot(`
+			{
+			  "account_id": "some-account-id",
+			  "password": "test-password",
+			  "registry_host": "registry.cloudflare.com",
+			  "username": "test-username",
+			}
+		`);
+	});
+});
+
 const mockPutRegistry = (expected?: object) => {
 	msw.use(
 		http.post(
@@ -704,3 +823,32 @@ const mockDeleteRegistry = (domain: string, secretsStoreRef?: string) => {
 		)
 	);
 };
+
+const mockGenerateCredentials = (
+	domain: string,
+	password: string,
+	expectedExpirationMinutes: number,
+	expectedPermissions: string[]
+) => {
+	msw.use(
+		http.post(
+			`*/accounts/:accountId/containers/registries/${domain}/credentials`,
+			async ({ request, params }) => {
+				const body = (await request.json()) as {
+					expiration_minutes: number;
+					permissions: string[];
+				};
+				expect(body.expiration_minutes).toBe(expectedExpirationMinutes);
+				expect(body.permissions).toEqual(expectedPermissions);
+				return HttpResponse.json(
+					createFetchResult({
+						account_id: params.accountId,
+						registry_host: domain,
+						username: "test-username",
+						password: password,
+					})
+				);
+			}
+		)
+	);
+};
diff --git a/packages/wrangler/src/containers/index.ts b/packages/wrangler/src/containers/index.ts
@@ -25,6 +25,7 @@ export {
 	containersRegistriesConfigureCommand,
 	containersRegistriesListCommand,
 	containersRegistriesDeleteCommand,
+	containersRegistriesCredentialsCommand,
 } from "./registries";
 
 // Build and push commands
diff --git a/packages/wrangler/src/containers/registries.ts b/packages/wrangler/src/containers/registries.ts
@@ -8,6 +8,7 @@ import {
 import {
 	ApiError,
 	getAndValidateRegistryType,
+	getCloudflareContainerRegistry,
 	ImageRegistriesService,
 } from "@cloudflare/containers-shared";
 import {
@@ -39,7 +40,10 @@ import type {
 	CommonYargsArgv,
 	StrictYargsOptionsToInterface,
 } from "../yargs-types";
-import type { DeleteImageRegistryResponse } from "@cloudflare/containers-shared";
+import type {
+	DeleteImageRegistryResponse,
+	ImageRegistryPermissions,
+} from "@cloudflare/containers-shared";
 import type { ImageRegistryAuth } from "@cloudflare/containers-shared/src/client/models/ImageRegistryAuth";
 import type { Config } from "@cloudflare/workers-utils";
 
@@ -482,6 +486,42 @@ async function registryDeleteCommand(
 	}
 }
 
+async function registryCredentialsCommand(credentialsArgs: {
+	DOMAIN?: string;
+	expirationMinutes: number;
+	push?: boolean;
+	pull?: boolean;
+	json?: boolean;
+}) {
+	const cloudflareRegistry = getCloudflareContainerRegistry();
+	const domain = credentialsArgs.DOMAIN || cloudflareRegistry;
+	if (domain !== cloudflareRegistry) {
+		throw new UserError(
+			`The credentials command only accepts the Cloudflare managed registry (${cloudflareRegistry}).`
+		);
+	}
+
+	if (!credentialsArgs.pull && !credentialsArgs.push) {
+		throw new UserError(
+			"You have to specify either --push or --pull in the command."
+		);
+	}
+
+	const credentials =
+		await ImageRegistriesService.generateImageRegistryCredentials(domain, {
+			expiration_minutes: credentialsArgs.expirationMinutes,
+			permissions: [
+				...(credentialsArgs.push ? ["push"] : []),
+				...(credentialsArgs.pull ? ["pull"] : []),
+			] as ImageRegistryPermissions[],
+		});
+	if (credentialsArgs.json) {
+		logger.json(credentials);
+	} else {
+		logger.log(credentials.password);
+	}
+}
+
 export const containersRegistriesNamespace = createNamespace({
 	metadata: {
 		description: "Configure and manage non-Cloudflare registries",
@@ -605,3 +645,43 @@ export const containersRegistriesDeleteCommand = createCommand({
 		await registryDeleteCommand(args, config);
 	},
 });
+
+export const containersRegistriesCredentialsCommand = createCommand({
+	metadata: {
+		description: "Get a temporary password for a specific domain",
+		status: "open beta",
+		owner: "Product: Cloudchamber",
+	},
+	behaviour: {
+		printBanner: (args) => !args.json && !isNonInteractiveOrCI(),
+	},
+	args: {
+		DOMAIN: {
+			type: "string",
+			describe: "Domain to get credentials for",
+		},
+		"expiration-minutes": {
+			type: "number",
+			default: 15,
+			description: "How long the credentials should be valid for (in minutes)",
+		},
+		push: {
+			type: "boolean",
+			description: "If you want these credentials to be able to push",
+		},
+		pull: {
+			type: "boolean",
+			description: "If you want these credentials to be able to pull",
+		},
+		json: {
+			type: "boolean",
+			description: "Format output as JSON",
+			default: false,
+		},
+	},
+	positionalArgs: ["DOMAIN"],
+	async handler(args, { config }) {
+		await fillOpenAPIConfiguration(config, containersScope);
+		await registryCredentialsCommand(args);
+	},
+});
diff --git a/packages/wrangler/src/index.ts b/packages/wrangler/src/index.ts
@@ -58,6 +58,7 @@ import {
 	containersNamespace,
 	containersPushCommand,
 	containersRegistriesConfigureCommand,
+	containersRegistriesCredentialsCommand,
 	containersRegistriesDeleteCommand,
 	containersRegistriesListCommand,
 	containersRegistriesNamespace,
@@ -1534,6 +1535,10 @@ export function createCLIParser(argv: string[]) {
 			command: "wrangler containers registries delete",
 			definition: containersRegistriesDeleteCommand,
 		},
+		{
+			command: "wrangler containers registries credentials",
+			definition: containersRegistriesCredentialsCommand,
+		},
 		{
 			command: "wrangler containers images",
 			definition: containersImagesNamespace,
