E.g. in inventory create:

ssh-config.yml

with:

ansible_ssh_common_args: "-o ProxyCommand='ssh -W %h:%p {{ AWS_IAM_ID }}@hostname' -o ControlMaster=auto -o ControlPersist=30m -o StrictHostKeyChecking=no"

Then make sure you’ve got both your private keys (bastion and destination) added via ssh-add.

E.g. ssh-add ~/.ssh/id_rsa

etc…

Debugging

1. use ansible -vvvv to get ssh output
2. run this ssh command
3. I was getting

ec2-user@<ip>: Permission denied (publickey).

4. ssh to bastion and check you can access that host

5. on the bastion check the sshd logs

tail -f /var/log/auth.log

which revealed nothing.

Oct 24 13:22:27 0 systemd-logind[1268]: New session 61400 of user snowcrash.
Oct 24 13:22:28 0 sshd[23318]: Received disconnect from <my ip> port 61226:11: disconnected by user

i.e. the first line shows the successful ssh connection to the jumpbox. The second shows the disconnect.

Note: setting sshd logging to verbose did not help. e.g.

Oct 24 13:36:19 0 systemd-logind[1268]: New session 61405 of user snowcrash.
Oct 24 13:36:19 0 sshd[9788]: User child is on pid 9949
Oct 24 13:36:19 0 sshd[9949]: Received disconnect from <my ip> port 61404:11: disconnected by user

6. checking the destination box

Note this had a different sshd log at:

/var/log/secure

A successful connection (i.e. directly from the bastion host) would show:

Accepted publickey for ec2-user

but via the proxy command I’d get:

Connection closed by <bastion> [preauth]