AWS - ssh to instance in private subnet

I have 2 instances in AWS. One of them in a public subnet (bastion), the second one in a private subnet.

Both of them were launched with the same key pair (.pem file).

This is how I connect to the bastion:

ssh -i secret.pem ec2-user@public-ip

Works great, I am in.

Now, I want to ssh the instance in a private subnet. Googling says that I should forward the agent:

ssh -A ubuntu@private-ip

But unfortunately I get the error:

Permission denied (publickey).

Can someone please explain what I am doing wrong and how to ssh the private instance? (ping and security groups are ok)

This is how I would do it:

In your own laptop, create (or edit existing file) ~/.ssh/config, and add the following:

Host [host or ip of the bastion server]
    User ec2-user
    IdentityFile ~/.ssh/pem_file_required_to_connect_to_bastion

Host [host or ip of the bastion server]
    User ec2-user
    IdentityFile ~/.ssh/pem_file_required_to_connect_to_server
    ProxyCommand ssh ec2-user@CHOSEN_HOST -W %h:%p

Replace CHOSEN_HOST with the same host you configured for the bastion server.

Example:

cat ~/.ssh/config
Host 3.126.138.136
    User ec2-user
    IdentityFile ~/.ssh/itaig.pem

Host 172.31.22.212
    User ec2-user
    IdentityFile ~/.ssh/itaig.pem
    ProxyCommand ssh [email protected] -W %h:%p

  ~/.ssh                                                                                                                                                                               at 02:40:57 PM 
❯
ssh 172.31.22.212
Last login: Sun Aug  8 11:40:41 2021 from ip-172-31-29-253.eu-central-1.compute.internal

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
[ec2-user@ip-172-31-22-212 ~]$