Update scripts/deploy to pull GCP credentials from Hashicorp Vault

The script scripts/deploy is currently using long-lived service account keys to access the GCS buckets it deploys to, and those keys are stored in CI variables. We want to move away from long-lived SA keys, and either rotate them automatically or do away with them completely (see https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/16689), and we now have a solution using service account impersonation via Hashicorp Vault (vault.gitlab.net/) instead of service account keys.

Steps:

1. import the about-gitlab-com service accounts into config-mgmt and add the necessary IAM permissions allowing Vault to impersonate them
2. add @gitlab-infra-mgmt-bot as maintainer of this project so that infra-mgmt can configure the necessary CI variables for Vault
3. add this project in infra-mgmt to setup Vault for it, with the impersonation policies for about-gitlab-com enabled
4. enable ID tokens in the CI configuration
5. update scripts/deploy to get the GCP credentials from Vault instead of CI variables, maybe also rewrite it in Ruby at the same time to avoid having to install the Vault binary and to make querying it easier
6. delete the service account keys and delete them from the CI variables