The provisioning process requires an IAM user (AWS IoT Core) or a shared access policy (Azure IoT Hub) to provision the devices to your cloud account.
These keys are requested each time the provisioning is triggered and are never stored in the service.
Once the provisioning of all devices has been completed, it is recommended to revoke or delete the keys.
See here for more information.