SSH Keys not working with sshagent

[gfrileux]

Jenkins and plugins versions report

Environment

Jenkins: 2.303.3
OS: Linux - 4.9.0-12-amd64
Java: 11.0.13 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
Parameterized-Remote-Trigger:3.1.5.1
ace-editor:1.1
allure-jenkins-plugin:2.30.3
analysis-model-api:10.8.0
ansicolor:1.0.1
ant:1.12
antisamy-markup-formatter:2.4
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-cloudformation:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-codebuild:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ec2:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ecr:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ecs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-efs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-elasticbeanstalk:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-iam:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-logs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-minimal:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-sns:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-sqs:1.12.287-357.vf82d85a_6eefd
aws-java-sdk-ssm:1.12.287-357.vf82d85a_6eefd
aws-secrets-manager-credentials-provider:0.5.6
aws-secrets-manager-secret-source:0.0.1
blueocean:1.25.8
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.25.8
blueocean-commons:1.25.8
blueocean-config:1.25.8
blueocean-core-js:1.25.8
blueocean-dashboard:1.25.8
blueocean-display-url:2.4.1
blueocean-events:1.25.8
blueocean-git-pipeline:1.25.8
blueocean-github-pipeline:1.25.8
blueocean-i18n:1.25.8
blueocean-jwt:1.25.8
blueocean-personalization:1.25.8
blueocean-pipeline-api-impl:1.25.8
blueocean-pipeline-editor:1.25.8
blueocean-pipeline-scm-api:1.25.8
blueocean-rest:1.25.8
blueocean-rest-impl:1.25.8
blueocean-web:1.25.8
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-2
bouncycastle-api:2.25
branch-api:2.7.0
browserstack-integration:1.2.5
build-history-manager:1.4.0
build-keeper-plugin:1.3
build-name-setter:2.2.0
build-timestamp:1.0.3
build-with-parameters:1.6
built-on-column:1.1
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.2
cloudbees-bitbucket-branch-source:784.v7fcdc7c670f6
cloudbees-folder:6.16
command-launcher:1.6
conditional-buildstep:1.4.1
config-file-provider:3.8.1
configuration-as-code:1512.vb_79d418d5fc8
credentials:2.6.1.1
credentials-binding:1.27.1
data-tables-api:1.11.3-4
display-url-api:2.3.5
docker-commons:1.21
docker-java-api:3.2.13-37.vf3411c9828b9
docker-plugin:1.2.10
docker-workflow:1.28
durable-task:501.ve5d4fc08b0be
echarts-api:5.2.2-1
email-ext:2.85
envinject:2.4.0
envinject-api:1.8
extended-choice-parameter:0.82
external-monitor-job:1.7
favorite:2.3.3.1
font-awesome-api:5.15.4-1
forensics-api:1.6.0
gatling:1.3.0
git:4.11.5
git-client:3.11.2
git-parameter:0.9.13
git-server:1.10
github:1.34.3.1
github-api:1.303-400.v35c2d8258028
github-branch-source:2.11.4
gradle:1.37.1
greenballs:1.15.1
h2-api:1.4.199
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.28
http_request:1.12
jackson2-api:2.13.3-285.vc03c0256d517
jacoco:3.3.0
javadoc:1.6
javax-activation-api:1.2.0-3
javax-mail-api:1.6.2-6
jaxb:2.3.6-1
jdk-tool:1.5
jenkins-design-language:1.25.8
jenkins-multijob-plugin:1.36
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.78.1
jobConfigHistory:2.28.1
jobcacher:264.vb_f4770b_79801
jquery:1.12.4-1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes:1.30.10
kubernetes-client-api:5.4.1
kubernetes-credentials:0.9.0
ldap:2.7
lockable-resources:2.12
mailer:414.vcc4c33714601
mask-passwords:3.0
matrix-auth:2.6.8
matrix-project:772.v494f19991984
maven-plugin:3.15.1
metrics:4.0.2.8
momentjs:1.1.1
multibranch-build-strategy-extension:1.0.10
okhttp-api:4.9.3-108.v0feda04578cf
pam-auth:1.6.1
parameterized-scheduler:1.0
parameterized-trigger:2.44
pipeline-build-step:2.15
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-maven:3.10.0
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.3
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.19
pipeline-utility-steps:2.10.0
plain-credentials:1.8
plugin-util-api:2.16.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
pubsub-light:1.16
purge-build-queue-plugin:1.0
rebuild:1.32
resource-disposer:0.20
reverse-proxy-auth-plugin:1.7.1
run-condition:1.5
scm-api:608.vfa_f971c5a_a_e9
script-security:1138.v8e727069a_025
simple-theme-plugin:0.7
slack:2.48
snakeyaml-api:1.31-84.ve43da_fb_49d0b
sonar:2.14
sonar-quality-gates:1.3.1
sse-gateway:1.25
ssh-agent:295.v9ca_a_1c7cc3a_a_
ssh-credentials:277.v95c2fec1c047
ssh-slaves:1.806.v2253cedd3295
sshd:3.1.0
structs:324.va_f5d6774f3a_d
timestamper:1.14
token-macro:308.v4f2b_ed62b_b_16
trilead-api:1.0.13
uno-choice:2.6.1
variant:1.4
warnings-ng:9.7.0
webhook-step:80.v6737a5fd857b
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:1153.vb_912c0e47fb_a_
workflow-basic-steps:2.24
workflow-cps:2633.v6baeedc13805
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.40
workflow-job:1145.v7f2433caa07f
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:813.vb_d7c3d2984a_0
ws-cleanup:0.43

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins running on Docker

Reproduction steps

1. Create an SSH Key credential "locally" on Jenkins, by manually creating a credential, and copy/pasting the Secret key and username. Jenkins > Manage Jenkins > Credential > Add credential
2. Using the Secret Manager plugin, load a previously uploaded SSH Key credential from AWS Secret Manager
3. Make sure both keys are added to Github and have the correct permissions on the repo being tested
4. Test with the pipelines below for a github repository:

pipeline {
    agent any

	environment {
        // The key below is manually entered in Jenkins
        CREDENTIALS_ID_LOCAL = "xx-yy-zz"
        
        // This one below is imported via AWS Secret Manager plugin
        CREDENTIALS_ID_AWS = "global/dashboard/jenkins/dahboard_jenkins_ssh_key_api_eng_user"//
    }

    stages {
        stage('this step works') {
            steps {
                sshagent(credentials: [CREDENTIALS_ID_LOCAL]) {
                    script {
                      sh(returnStdout: true, script: 'git fetch')
                    }
                }
            }
        }
        stage('this one does not') {
            steps {
                sshagent(credentials: [CREDENTIALS_ID_AWS]) {
                    script {
                      sh(returnStdout: true, script: 'git fetch')
                    }
                }
            }
        }
    }
}

Expected Results

Both steps should successfully execute the git fetch . The first stage works, but the second does not.

Actual Results

During the second step, we get the below message:

[ssh-agent] Using credentials EDITED-BUT -THIS-SHOWS-THE-CORRECT-SECRET-NAME
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent]   Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-QHrN9yoaNjpv/agent.8848
SSH_AGENT_PID=8851
Running ssh-add (command line suppressed)
Error loading key "/var/jenkins_home/workspace/folder_location_edited@tmp/private_key_2322035249091043671.key": invalid format

Anything else?

No response