Documenation from Google says <https://cloud.google.com/dataflow/security-and-permissions#accessing-cloud-datastore-across-cloud-platform-projects>
"To access a Datastore owned by a different Cloud Platform project, you'll need to add your Dataflow project's Compute Engine (<project-number>- comp...@developer.gserviceaccount.com) service account as *editor of the project *that owns the Datastore. This seems very loose. The Compute Engine Service User is just going to access Datastore, so Datastore User permissions are correct. On the other hand, Project Editor permissions give near-unrestricted access to every aspect of this different Cloud Platform project. Why should the permissions to be defined so loosely?