diff --git a/cmd/osbuild-upload-pulp-ostree/main.go b/cmd/osbuild-upload-pulp-ostree/main.go
index bab8c2e84..9fa448834 100644
--- a/cmd/osbuild-upload-pulp-ostree/main.go
+++ b/cmd/osbuild-upload-pulp-ostree/main.go
@@ -1,10 +1,8 @@
 package main
 
 import (
-	"encoding/json"
 	"flag"
 	"fmt"
-	"io"
 	"os"
 
 	"github.com/osbuild/osbuild-composer/internal/upload/pulp"
@@ -17,16 +15,6 @@ func check(err error) {
 	}
 }
 
-func readCredentials(credPath string) *pulp.Credentials {
-	fp, err := os.Open(credPath)
-	check(err)
-	data, err := io.ReadAll(fp)
-	check(err)
-	var creds pulp.Credentials
-	check(json.Unmarshal(data, &creds))
-	return &creds
-}
-
 func main() {
 	var filename, apiURL, repository, basePath, credsFile string
 	flag.StringVar(&filename, "archive", "", "ostree archive to upload")
@@ -36,9 +24,11 @@ func main() {
 	flag.StringVar(&credsFile, "credentials", "", `file containing credentials (format: {"username": "...", "password": "..."})`)
 	flag.Parse()
 
-	client := pulp.NewClient(apiURL, readCredentials(credsFile))
+	client, err := pulp.NewClientFromFile(apiURL, credsFile)
+	check(err)
 
 	repoURL, err := client.UploadAndDistributeCommit(filename, repository, basePath)
 	check(err)
+
 	fmt.Printf("The commit will be available in the repository at %s\n", repoURL)
 }
diff --git a/cmd/osbuild-worker/config.go b/cmd/osbuild-worker/config.go
index 43491d0cc..e48bacb23 100644
--- a/cmd/osbuild-worker/config.go
+++ b/cmd/osbuild-worker/config.go
@@ -66,6 +66,11 @@ type containersConfig struct {
 	TLSVerify    bool   `toml:"tls_verify"`
 }
 
+type pulpConfig struct {
+	Credentials string `toml:"credentials"`
+	ServerURL   string `toml:"server_address"`
+}
+
 type workerConfig struct {
 	Composer       *composerConfig             `toml:"composer"`
 	Koji           map[string]kojiServerConfig `toml:"koji"`
@@ -76,6 +81,7 @@ type workerConfig struct {
 	Authentication *authenticationConfig       `toml:"authentication"`
 	Containers     *containersConfig           `toml:"containers"`
 	OCI            *ociConfig                  `toml:"oci"`
+	Pulp           *pulpConfig                 `toml:"pulp"`
 	// default value: /api/worker/v1
 	BasePath string `toml:"base_path"`
 	DNFJson  string `toml:"dnf-json"`
diff --git a/cmd/osbuild-worker/config_test.go b/cmd/osbuild-worker/config_test.go
index 34b5115c5..7e0e94746 100644
--- a/cmd/osbuild-worker/config_test.go
+++ b/cmd/osbuild-worker/config_test.go
@@ -65,6 +65,10 @@ oauth_url = "https://example.com/token"
 client_id = "toucan"
 client_secret = "/etc/osbuild-worker/client_secret"
 offline_token = "/etc/osbuild-worker/offline_token"
+
+[pulp]
+credentials = "/etc/osbuild-worker/pulp-creds"
+server_address = "https://example.com/pulp"
 `,
 			want: &workerConfig{
 				BasePath: "/api/image-builder-worker/v1",
@@ -116,6 +120,10 @@ offline_token = "/etc/osbuild-worker/offline_token"
 					ClientId:         "toucan",
 					ClientSecretPath: "/etc/osbuild-worker/client_secret",
 				},
+				Pulp: &pulpConfig{
+					Credentials: "/etc/osbuild-worker/pulp-creds",
+					ServerURL:   "https://example.com/pulp",
+				},
 			},
 		},
 		{
diff --git a/cmd/osbuild-worker/jobimpl-osbuild.go b/cmd/osbuild-worker/jobimpl-osbuild.go
index 307cdebda..2c186ca94 100644
--- a/cmd/osbuild-worker/jobimpl-osbuild.go
+++ b/cmd/osbuild-worker/jobimpl-osbuild.go
@@ -85,6 +85,7 @@ type OSBuildJobImpl struct {
 	AWSBucket        string
 	S3Config         S3Configuration
 	ContainersConfig ContainersConfiguration
+	PulpConfig       PulpConfiguration
 }
 
 // Returns an *awscloud.AWS object with the credentials of the request. If they
@@ -300,24 +301,42 @@ func (impl *OSBuildJobImpl) getContainerClient(destination string, targetOptions
 	return client, nil
 }
 
+// Read server configuration and credentials from the target options and fall
+// back to worker config if they are not set (targetOptions take precedent).
+// Mixing sources is allowed. For example, the server address can be configured
+// in the worker config while the targetOptions provide the credentials (or
+// vice versa).
 func (impl *OSBuildJobImpl) getPulpClient(targetOptions *target.PulpOSTreeTargetOptions) (*pulp.Client, error) {
-	creds := &pulp.Credentials{}
+
+	var creds *pulp.Credentials
+	// Credentials are considered together. In other words, the username can't
+	// come from a different config source than the password.
 	if targetOptions.Username != "" && targetOptions.Password != "" {
 		creds = &pulp.Credentials{
 			Username: targetOptions.Username,
 			Password: targetOptions.Password,
 		}
-	} else {
-		// TODO: read from worker configuration
-		return nil, fmt.Errorf("no credentials for pulp were set")
 	}
-
-	if targetOptions.ServerAddress == "" {
-		// TODO: read from worker configuration
+	address := targetOptions.ServerAddress
+	if address == "" {
+		// fall back to worker configuration for server address
+		address = impl.PulpConfig.ServerAddress
+	}
+	if address == "" {
 		return nil, fmt.Errorf("pulp server address not set")
 	}
 
-	return pulp.NewClient(targetOptions.ServerAddress, creds), nil
+	if creds != nil {
+		return pulp.NewClient(address, creds), nil
+	}
+
+	// read from worker configuration
+	if impl.PulpConfig.CredsFilePath == "" {
+		return nil, fmt.Errorf("pulp credentials not set")
+	}
+
+	// use creds file loader helper
+	return pulp.NewClientFromFile(address, impl.PulpConfig.CredsFilePath)
 }
 
 func (impl *OSBuildJobImpl) Run(job worker.Job) error {
diff --git a/cmd/osbuild-worker/main.go b/cmd/osbuild-worker/main.go
index 3c5a7b70e..b4409e83f 100644
--- a/cmd/osbuild-worker/main.go
+++ b/cmd/osbuild-worker/main.go
@@ -426,6 +426,13 @@ func main() {
 		}
 	}
 
+	var pulpCredsFilePath = ""
+	var pulpAddress = ""
+	if config.Pulp != nil {
+		pulpCredsFilePath = config.Pulp.Credentials
+		pulpAddress = config.Pulp.ServerURL
+	}
+
 	// depsolve jobs can be done during other jobs
 	depsolveCtx, depsolveCtxCancel := context.WithCancel(context.Background())
 	solver := dnfjson.NewBaseSolver(rpmmd_cache)
@@ -487,6 +494,10 @@ func main() {
 				CertPath:     containersCertPath,
 				TLSVerify:    &containersTLSVerify,
 			},
+			PulpConfig: PulpConfiguration{
+				CredsFilePath: pulpCredsFilePath,
+				ServerAddress: pulpAddress,
+			},
 		},
 		worker.JobTypeKojiInit: &KojiInitJobImpl{
 			KojiServers: kojiServers,
diff --git a/internal/upload/pulp/pulp.go b/internal/upload/pulp/pulp.go
index c256a9329..b2e7653f6 100644
--- a/internal/upload/pulp/pulp.go
+++ b/internal/upload/pulp/pulp.go
@@ -2,6 +2,7 @@ package pulp
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
@@ -17,8 +18,27 @@ type Client struct {
 }
 
 type Credentials struct {
-	Username string
-	Password string
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+func NewClientFromFile(url, path string) (*Client, error) {
+	fp, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer fp.Close()
+
+	data, err := io.ReadAll(fp)
+	if err != nil {
+		return nil, err
+	}
+	var creds Credentials
+	if err := json.Unmarshal(data, &creds); err != nil {
+		return nil, err
+	}
+
+	return NewClient(url, &creds), nil
 }
 
 func NewClient(url string, creds *Credentials) *Client {