I am running ansible-playbook in gitlab-ci with executor docker.
To add a private key to the container, I use ssh-agent:

  before_script:
    - eval $(ssh-agent -s)
    - chmod 400 "$SSH_PRIVATE_KEY"
    - ssh-add "$SSH_PRIVATE_KEY"
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh

When used in this way, direct connection to ansibe hosts succeeds.
But I need to connect to hosts that are behind the Bastion server. To do that, I’m using:

ansible_ssh_common_args: '-o ProxyCommand="ssh -p 2202 -A -W %h:%p -q [email protected]"'

The ansible user on the transition server has the public part of the key added to the ssh agent.
With this configuration I am having connection problems, I think I am not using the key from the ssh-agent when I call ProxyCommand.
I get an error when I start it up:

host01 | UNREACHABLE! => {
    "changed": false,
    "msg": "Data could not be sent to remote host "192.168.1.10". Make sure this host can be reached over ssh: OpenSSH_9.7p1, OpenSSL 3.3.1 4 Jun 2024rndebug1: Reading configuration data /etc/ssh/ssh_configrndebug1: /etc/ssh/ssh_config line 22: include /etc/ssh/ssh_config.d/*.conf matched no filesrndebug2: resolve_canonicalize: hostname 192.168.1.10 is addressrndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'rndebug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'rndebug1: auto-mux: Trying existing master at '/root/.ansible/cp/4450681ae2'rndebug1: Control socket "/root/.ansible/cp/4450681ae2" does not existrndebug3: channel_clear_timeouts: clearingrndebug1: Executing proxy command: exec ssh -p 8022 -A -W 192.168.1.10:22 -q [email protected]rndebug3: timeout: 60000 ms remain after connectrndebug1: identity file /root/.ssh/id_rsa type -1rndebug1: identity file /root/.ssh/id_rsa-cert type -1rndebug1: identity file /root/.ssh/id_ecdsa type -1rndebug1: identity file /root/.ssh/id_ecdsa-cert type -1rndebug1: identity file /root/.ssh/id_ecdsa_sk type -1rndebug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1rndebug1: identity file /root/.ssh/id_ed25519 type -1rndebug1: identity file /root/.ssh/id_ed25519-cert type -1rndebug1: identity file /root/.ssh/id_ed25519_sk type -1rndebug1: identity file /root/.ssh/id_ed25519_sk-cert type -1rndebug1: identity file /root/.ssh/id_xmss type -1rndebug1: identity file /root/.ssh/id_xmss-cert type -1rndebug1: identity file /root/.ssh/id_dsa type -1rndebug1: identity file /root/.ssh/id_dsa-cert type -1rndebug1: Local version string SSH-2.0-OpenSSH_9.7rnkex_exchange_identification: Connection closed by remote hostrnConnection closed by UNKNOWN port 65535rn",
    "unreachable": true
}

This is what my test inventory:

all:
  vars:
    ansible_connection: ssh
    ansible_user: ansible
    ansible_ssh_common_args: '-o ProxyCommand="ssh -p 2202 -A -W %h:%p -q [email protected]"'
  hosts:
    host01:
      ansible_host: 192.168.1.10

Can you please tell me if I understand correctly that the key from ssh-agent is not available for ProxyCommand?
And maybe someone can tell me how to connect via bastion in ansible when using ssh-agent?