The best answer requires far more details then your question provides. This answer serves as a general-purpose answer that applies to typical small scale usage of Google Cloud.
For enterprise-class development with multiple accounts, projects, hundreds of resources, etc. would require a different answer that includes organizations, folders, federations, SSO, VPNs, etc.
How should we handle the case when a developer gets fired?
Delete/Disable the developer's service account JSON key. Remove the user's IAM member account (email address) from having rights in Google Cloud.
Should we have a service account per developer?
Yes, you should create and issue one service account key per developer. Just like you would create separate login accounts for each user. You should also issue separate SSH keys to each developer for logging into Compute Engine instances.
How to provision these service accounts to developers?
You can create service accounts in the Google Cloud Console, the Google Cloud SDK CLI gcloud or via APIs.
Or is it actually better to go against the docs and authenticate using
developer accounts?
No - listen to the documentation. You can use User Accounts for the CLI gcloud but for any software written using SDKs/APIs, you should use service accounts. The Google SDKs will print warnings on the console about the usage of user credentials. If you plan to deploy software in the cloud you need to use (usually) service accounts. Invest the time now to do things correctly and securely. This will minimize headaches and problems later.
There are exceptions to everything I said. However, until you have a solid understanding of Google Cloud IAM and Security, follow the best practices. Google Cloud Authentication is very complex and an expert developer could create backdoors into GCP if you try to take shortcuts.
