diff --git a/cli/command/container/auth_config_utils.go b/cli/command/container/auth_config_utils.go
new file mode 100644
index 0000000000..f908bd8498
--- /dev/null
+++ b/cli/command/container/auth_config_utils.go
@@ -0,0 +1,46 @@
+package container
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/docker/cli/cli/config/types"
+)
+
+// readCredentials resolves auth-config from the current environment to be
+// applied to the container if the `--use-api-socket` flag is set.
+//
+//   - If a valid "DOCKER_AUTH_CONFIG" env-var is found, and it contains
+//     credentials, it's value is used.
+//   - If no "DOCKER_AUTH_CONFIG" env-var is found, or it does not contain
+//     credentials, it attempts to read from the CLI's credentials store.
+//
+// It returns an error if either the "DOCKER_AUTH_CONFIG" is incorrectly
+// formatted, or when failing to read from the credentials store.
+//
+// A nil value is returned if neither option contained any credentials.
+func readCredentials(dockerCLI config.Provider) (creds map[string]types.AuthConfig, _ error) {
+	if v, ok := os.LookupEnv("DOCKER_AUTH_CONFIG"); ok && v != "" {
+		// The results are expected to have been unmarshaled the same as
+		// when reading from a config-file, which includes decoding the
+		// base64-encoded "username:password" into the "UserName" and
+		// "Password" fields.
+		ac := &configfile.ConfigFile{}
+		if err := ac.LoadFromReader(strings.NewReader(v)); err != nil {
+			return nil, fmt.Errorf("failed to read credentials from DOCKER_AUTH_CONFIG: %w", err)
+		}
+		if len(ac.AuthConfigs) > 0 {
+			return ac.AuthConfigs, nil
+		}
+	}
+
+	// Resolve this here for later, ensuring we error our before we create the container.
+	creds, err := dockerCLI.ConfigFile().GetAllCredentials()
+	if err != nil {
+		return nil, fmt.Errorf("resolving credentials failed: %w", err)
+	}
+	return creds, nil
+}
diff --git a/cli/command/container/create.go b/cli/command/container/create.go
index 21ae31cd0a..8993ffce5c 100644
--- a/cli/command/container/create.go
+++ b/cli/command/container/create.go
@@ -240,16 +240,6 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 		}
 	}
 
-	pullAndTagImage := func() error {
-		if err := pullImage(ctx, dockerCli, config.Image, options); err != nil {
-			return err
-		}
-		if taggedRef, ok := namedRef.(reference.NamedTagged); ok && trustedRef != nil {
-			return trust.TagTrusted(ctx, dockerCli.Client(), dockerCli.Err(), trustedRef, taggedRef)
-		}
-		return nil
-	}
-
 	const dockerConfigPathInContainer = "/run/secrets/docker/config.json"
 	var apiSocketCreds map[string]types.AuthConfig
 
@@ -305,7 +295,7 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 		// what they're doing and don't inject the creds.
 		if !envvarPresent {
 			// Resolve this here for later, ensuring we error our before we create the container.
-			creds, err := dockerCli.ConfigFile().GetAllCredentials()
+			creds, err := readCredentials(dockerCli)
 			if err != nil {
 				return "", fmt.Errorf("resolving credentials failed: %w", err)
 			}
@@ -331,6 +321,16 @@ func createContainer(ctx context.Context, dockerCli command.Cli, containerCfg *c
 		platform = &p
 	}
 
+	pullAndTagImage := func() error {
+		if err := pullImage(ctx, dockerCli, config.Image, options); err != nil {
+			return err
+		}
+		if taggedRef, ok := namedRef.(reference.NamedTagged); ok && trustedRef != nil {
+			return trust.TagTrusted(ctx, dockerCli.Client(), dockerCli.Err(), trustedRef, taggedRef)
+		}
+		return nil
+	}
+
 	if options.pull == PullImageAlways {
 		if err := pullAndTagImage(); err != nil {
 			return "", err