A naive solution would be to iterate over your parameters list and append quotes to the beginning and end of each element:
(', '.join('"' + item + '"' for item in parameters))
Note: this is vulnerable to SQL injection (whether coincidental or deliberate). A better solution is to let the database quote and insert these values:
query = "SELECT * FROM foo WHERE bar IN (%s)" % ','.join('?' * len(params))
cursor.execute(query, params)
It’s easier to read and handles quoting properly.