How would one generate a short-lived token to pull a single Docker container from Google's Artifact Registry (preferably using the Node API to generate the token)? How does one use the token to pull the container (e.g. from a Bash command line)?
How to create a token to pull a single container from Artifact Registry?
You cannot achieve that in Google Cloud.
In Google Cloud, permissions are managed at the project level (all resources of a specific type) or at the individual resource level.
You can create short-lived tokens. Google Cloud implements OAuth 2.0 Access and Identity tokens that have a default life of one hour. This can be changed via an ORG policy for up to 12 hours. To create a token with a different lifetime requires creating your own JWT and signing with a service account private key and then exchanging the signed JWT for an OAuth token. Fairly easy to do and I wrote articles on how to do this on my website.
Google Artifact Registry does not support IAM permissions at the resource (object, image, container, etc.) level. This means you cannot create a token with permissions for a single resource, such as a container image.
You could create a single repository with a single container image and then grant access to only that repository.