All current documentation showcases using GCP Service Account JSON Keys for deploying with Bitbucket Pipelines Deployment. But these are notoriously insecure and hard to maintain and keep rotated.

GCP has several different solutions detailed here. I think the right solution is for Bitbucket to support Workload Identity Federation. Bitbucket supplies the ID Token, and we authenticate our Service Account(s) with it. Then there are no keys to manage/secure/rotate.