In order to use the ssh-key in Bastion and leap-frog to protected server

Make sure the ssh agent is running
eval `ssh-agent -s`
then add your key
ssh-add -k your-key.pem
ssh-add -L
Then use the ssh agent
ssh -A ec2-user@your-ip
https://www.daveeddy.com/2017/10/18/persistent-sshagent-on-bash-on-ubuntu-on-windows/ https://medium.com/@crishantha/handing-bastion-hosts-on-aws-via-ssh-agent-forwarding-f1d2d4e8622a