Ansible SSH Agent forwarding with Jump (bastion) host

ansible.cfg

[defaults]
sudo_flags = SSH_AUTH_SOCK="$SSH_AUTH_SOCK" -H -S -n

[ssh_connection]
ssh_args=-o ForwardAgent=yes

ssh config

ControlMaster auto
ControlPath ~/.ssh/tmp/control_%h_%p_%r
ControlPersist 1m

Host jump
    HostName <jump_ip>
    User nazarewk
    ForwardAgent yes

Host secured-*
    User nazarewk
##   ProxyJump works on OpenSSH 7.3+ (newest version as of 16.09.2016)
#    ProxyJump jump
    ProxyCommand ssh jump -W %h:%p
    ForwardAgent yes

ssh-forward.yml

- name: Ensuring we can ForwardAgent
  lineinfile:
    dest: "~/.profile"
    line: '[ -n "$SSH_AUTH_SOCK" ] && setfacl -m u:{{ project_user }}:rw "$SSH_AUTH_SOCK" && setfacl -m u:{{ project_user }}:x "$(dirname $SSH_AUTH_SOCK)"'
    insertafter: EOF

- name: Ensure we have ForwardAgent
  command: ssh-add -l
  become: true
  become_user: "{{ project_user }}"

For whatever reason it also needs a terminal session opened to the target server in another window while deploy is running (so SSH_AUTH_SOCK shared with ansible gets proper permissions)

UPDATE: ControlPersist 1m option enables ssh not to drop the connection immediately after closing last session opened for another minute, so ansible is now happily reusing effectively the same connection with the server and don't need separate session opened.